4 results (0.024 seconds)

CVSS: 7.9EPSS: 0%CPEs: 5EXPL: 0

Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks. • https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq https://www.cve.org/CVERecord?id=CVE-2024-8038 • CWE-420: Unprotected Alternate Channel •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm. • https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x https://www.cve.org/CVERecord?id=CVE-2024-8037 • CWE-276: Incorrect Default Permissions •

CVSS: 8.7EPSS: 0%CPEs: 5EXPL: 0

JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm. • https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4 https://www.cve.org/CVERecord?id=CVE-2024-7558 • CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-340: Generation of Predictable Numbers or Identifiers CWE-1391: Use of Weak Credentials •

CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm. • https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2 https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx https://www.cve.org/CVERecord?id=CVE-2024-6984 • CWE-209: Generation of Error Message Containing Sensitive Information •