CVE-2024-8038
HIGH7.9EPSS 0.08%Vulnerable juju introspection abstract UNIX domain socket
Description
### Impact An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running. On a juju controller agent, denial of service can be performed by using the `/leases/revoke` endpoint. Revoking leases in juju can cause availability issues. On a juju machine agent that is hosting units, disabling the unit component can be performed using the `/units` endpoint with a "stop" action. ### Patches Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b Patched in: - 3.5.4 - 3.4.6 - 3.3.7 - 3.1.10 - 2.9.51 ### Workarounds No workaround. ### References https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
Affected packages (2)
- Go/github.com/juju/jujufrom 0, < 0.0.0-20240829052008-43f0fc59790d
- Go/github.com/juju/jujufrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:H/SA:H |
| osv | CVSS 3.1 | HIGH7.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8038
- PATCHhttps://github.com/juju/juju
- WEBhttps://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
- WEBhttps://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
- WEBhttps://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq
- WEBhttps://pkg.go.dev/vuln/GO-2024-3175