GHSA-xwgj-vpm9-q2rq
First published: Thu Oct 03 2024(Updated: )
### Impact An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running. On a juju controller agent, denial of service can be performed by using the `/leases/revoke` endpoint. Revoking leases in juju can cause availability issues. On a juju machine agent that is hosting units, disabling the unit component can be performed using the `/units` endpoint with a "stop" action. ### Patches Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b Patched in: - 3.5.4 - 3.4.6 - 3.3.7 - 3.1.10 - 2.9.51 ### Workarounds No workaround. ### References https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/juju/juju | <0.0.0-20240829052008-43f0fc59790d | 0.0.0-20240829052008-43f0fc59790d |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq
- https://nvd.nist.gov/vuln/detail/CVE-2024-8038
- https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
- https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
- https://github.com/advisories/GHSA-xwgj-vpm9-q2rq (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xwgj-vpm9-q2rq
- alias/CVE-2024-8038
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/severity
- agent/type
- agent/softwarecombine
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- package-manager/go