Attackers can exploit vulnerability in Juju hook tool to gain access to restrictive actions

CVE-2024-8037

6.5MEDIUM

Key Information

Vendor
Canonical Ltd.
Status
Juju
Vendor
CVE Published:
2 October 2024

Summary

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.

Affected Version(s)

Juju < 3.5.4

Juju < 3.4.6

Juju < 3.3.7

Refferences

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD DatabaseMitre Database

Credit

Pedro Guimaraes
Harry Pidcock
Mark Esler
.