GHSA-8v4w-f4r9-7h6x
First published: Thu Oct 03 2024(Updated: )
### Impact When combined with an attack of `JUJU_CONTEXT_ID`, any user on the local system with access to the default network namespace may connect to the `@/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket` and perform actions that are normally reserved to a juju charm. ### Patches Patch: https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206 Patched in: - 3.5.4 - 3.4.6 - 3.3.7 - 3.1.10 - 2.9.51 ### Workarounds No workarounds available. ### References [GHSA-mh98-763h-m9v4](https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4) https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/juju/juju | <0.0.0-20240820065804-2f2ec128ef5a | 0.0.0-20240820065804-2f2ec128ef5a |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x
- https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4
- https://nvd.nist.gov/vuln/detail/CVE-2024-8037
- https://github.com/juju/juju/commit/2f2ec128ef5a8ca81fc86ae79cfcdbab0007c206
- https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/uniter/paths.go#L222
- https://github.com/advisories/GHSA-8v4w-f4r9-7h6x (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8v4w-f4r9-7h6x
- alias/CVE-2024-8037
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/type
- agent/softwarecombine
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- package-manager/go