Attackers can exploit vulnerability in Juju hook tool to gain access to restrictive actions
CVE-2024-8037
6.5MEDIUM
Key Information
- Vendor
- Canonical Ltd.
- Status
- Juju
- Vendor
- CVE Published:
- 2 October 2024
Summary
Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.
Affected Version(s)
Juju < 3.5.4
Juju < 3.4.6
Juju < 3.3.7
Refferences
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Collectors
NVD DatabaseMitre Database
Credit
Pedro Guimaraes
Harry Pidcock
Mark Esler