
CVE-2023-0092
https://notcve.org/view.php?id=CVE-2023-0092
31 Jan 2025 — An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem. • https://github.com/advisories/GHSA-x5rv-w9pm-8qp8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2022-28653
https://notcve.org/view.php?id=CVE-2022-28653
31 Jan 2025 — Users can consume unlimited disk space in /var/crash • https://www.cve.org/CVERecord?id=CVE-2022-28653 •

CVE-2024-6219 – openSUSE Security Advisory - openSUSE-SU-2024:14567-1
https://notcve.org/view.php?id=CVE-2024-6219
05 Dec 2024 — Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. These are all security issues fixed in the govulncheck-vulndb-0.0.20241209T183251-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/canonical/lxd/security/advisories/GHSA-jpmc-7p9c-4rxf • CWE-295: Improper Certificate Validation •

CVE-2024-6156 – openSUSE Security Advisory - openSUSE-SU-2024:14567-1
https://notcve.org/view.php?id=CVE-2024-6156
05 Dec 2024 — Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. These are all security issues fixed in the govulncheck-vulndb-0.0.20241209T183251-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v • CWE-295: Improper Certificate Validation •

CVE-2024-11586
https://notcve.org/view.php?id=CVE-2024-11586
23 Nov 2024 — Ubuntu's implementation of pulseaudio can be crashed by a malicious program if a bluetooth headset is connected. • https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2078822 • CWE-404: Improper Resource Shutdown or Release •

CVE-2024-9312 – openSUSE Security Advisory - openSUSE-SU-2024:0350-1
https://notcve.org/view.php?id=CVE-2024-9312
10 Oct 2024 — Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2 • CWE-286: Incorrect User Management •

CVE-2024-9313 – openSUSE Security Advisory - openSUSE-SU-2024:0350-1
https://notcve.org/view.php?id=CVE-2024-9313
03 Oct 2024 — Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. El módulo PAM de Authd anterior a la versión 0.3.5 puede permitir que los usuarios administrados por el broker se hagan pasar por cualquier otro usuario administrado por el mismo broker y realicen cualquier operación PAM con él, incluida la autenticación como ellos. An update that fixes 56 vulnerabilities, conta... • https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787 •

CVE-2024-8038 – openSUSE Security Advisory - openSUSE-SU-2024:0350-1
https://notcve.org/view.php?id=CVE-2024-8038
02 Oct 2024 — Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq • CWE-420: Unprotected Alternate Channel •

CVE-2024-8037 – openSUSE Security Advisory - openSUSE-SU-2024:0350-1
https://notcve.org/view.php?id=CVE-2024-8037
02 Oct 2024 — Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x • CWE-276: Incorrect Default Permissions •

CVE-2024-7558 – openSUSE Security Advisory - openSUSE-SU-2024:0350-1
https://notcve.org/view.php?id=CVE-2024-7558
02 Oct 2024 — JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4 • CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-340: Generation of Predictable Numbers or Identifiers CWE-1391: Use of Weak Credentials •