CVE-2024-8037
MEDIUM6.5EPSS 0.10%Vulnerable juju hook tool abstract UNIX domain socket
發布日:2024/10/3修改日:2024/10/9
描述
### Impact When combined with an attack of `JUJU_CONTEXT_ID`, any user on the local system with access to the default network namespace may connect to the `@/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket` and perform actions that are normally reserved to a juju charm. ### Patches Patch: https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206 Patched in: - 3.5.4 - 3.4.6 - 3.3.7 - 3.1.10 - 2.9.51 ### Workarounds No workarounds available. ### References [GHSA-mh98-763h-m9v4](https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4) https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222
受影響套件(2)
- Go/github.com/juju/jujufrom 0, < 0.0.0-20240820065804-2f2ec128ef5a
- Go/github.com/juju/jujufrom 0, < 0.0.0-20240820065804-2f2ec128ef5a
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:H/SA:H |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8037
- PATCHhttps://github.com/juju/juju
- WEBhttps://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222
- WEBhttps://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206
- WEBhttps://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x
- WEBhttps://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4
- WEBhttps://pkg.go.dev/vuln/GO-2024-3174