Untriaged
Permalink
CVE-2024-7558
8.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine …
JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.
References
- https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4 issue-tracking
- https://www.cve.org/CVERecord?id=CVE-2024-7558 issue-tracking
Affected products
juju
- <3.4.6
- <2.9.51
- <3.1.10
- <3.5.4
- <3.3.7
Package maintainers
-
@RealityAnomaly Alex Zero <alex@arctarus.co.uk>
-
@emilazy Emily <nixpkgs@emily.moe>
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>
-
@0x4A6F Joachim Ernst <mail-maintainer@0x4A6F.dev>
-
@bbigras Bruno Bigras <bigras.bruno@gmail.com>