Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2024-8037

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Vulnerable juju hook tool abstract UNIX domain socket. When combined …

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.

References

https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x issue-tracking
https://www.cve.org/CVERecord?id=CVE-2024-8037 issue-tracking
https://www.cve.org/CVERecord?id=CVE-2024-8037 issue-tracking
https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x issue-tracking

Affected products

juju

<3.4.6
<2.9.51
<3.1.10
<3.5.4
<3.3.7

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

nixos-unstable -
- nixpkgs-unstable 3.6.9

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

nixos-unstable -
- nixpkgs-unstable 0.33.0

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

nixos-unstable -
- nixpkgs-unstable 0.2

Package maintainers

@RealityAnomaly Alex Zero <alex@arctarus.co.uk>
@emilazy Emily <nixpkgs@emily.moe>
@thoughtpolice Austin Seipp <aseipp@pobox.com>
@0x4A6F Joachim Ernst <mail-maintainer@0x4A6F.dev>
@bbigras Bruno Bigras <bigras.bruno@gmail.com>