CVE-2024-8037

CWE-276Incorrect Default PermissionsCWE-284Improper Access ControlCWE-476NULL Pointer Dereference6 documents5 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 73.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Canonical Ltd. JujuGithub.com Juju/jujuCanonical Juju
Timeline
PublishedOct 2
Latest updateOct 21

Description

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:HExploitability: 1.0 | Impact: 5.5

Affected Packages3 packages

NVDcanonical/juju3.1.03.1.10+5
CVEListV5canonical_ltd./juju3.53.5.4+4
Gogithub.com/juju/juju< 0.0.0-20240820065804-2f2ec128ef5a

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju2024-10-09
GHSA
Vulnerable juju hook tool abstract UNIX domain socket2024-10-03
OSV
Vulnerable juju hook tool abstract UNIX domain socket2024-10-03
CVEList
CVE-2024-8037: Vulnerable juju hook tool abstract UNIX domain socket2024-10-02

📋Vendor Advisories

1
Red Hat
kernel: net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC2024-10-21
CVE-2024-8037 (MEDIUM CVSS 6.5) | Vulnerable juju hook tool abstract | cvebase.io