25 results (0.002 seconds)

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

31 Jan 2025 — An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem. • https://github.com/advisories/GHSA-x5rv-w9pm-8qp8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

31 Jan 2025 — Users can consume unlimited disk space in /var/crash • https://www.cve.org/CVERecord?id=CVE-2022-28653 •

CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0

05 Dec 2024 — Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. These are all security issues fixed in the govulncheck-vulndb-0.0.20241209T183251-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/canonical/lxd/security/advisories/GHSA-jpmc-7p9c-4rxf • CWE-295: Improper Certificate Validation •

CVSS: 3.8EPSS: 0%CPEs: 4EXPL: 0

05 Dec 2024 — Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. These are all security issues fixed in the govulncheck-vulndb-0.0.20241209T183251-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v • CWE-295: Improper Certificate Validation •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

23 Nov 2024 — Ubuntu's implementation of pulseaudio can be crashed by a malicious program if a bluetooth headset is connected. • https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2078822 • CWE-404: Improper Resource Shutdown or Release •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

10 Oct 2024 — Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2 • CWE-286: Incorrect User Management •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

03 Oct 2024 — Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. El módulo PAM de Authd anterior a la versión 0.3.5 puede permitir que los usuarios administrados por el broker se hagan pasar por cualquier otro usuario administrado por el mismo broker y realicen cualquier operación PAM con él, incluida la autenticación como ellos. An update that fixes 56 vulnerabilities, conta... • https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787 •

CVSS: 7.9EPSS: 0%CPEs: 5EXPL: 0

02 Oct 2024 — Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq • CWE-420: Unprotected Alternate Channel •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

02 Oct 2024 — Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x • CWE-276: Incorrect Default Permissions •

CVSS: 8.7EPSS: 0%CPEs: 5EXPL: 0

02 Oct 2024 — JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm. An update that fixes 56 vulnerabilities, contains one feature is now available. This update for govulncheck-vulndb fixes the following issues. • https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4 • CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-340: Generation of Predictable Numbers or Identifiers CWE-1391: Use of Weak Credentials •