CVE-2024-8038
published 2024-10-02CVE-2024-8038: Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication…
PriorityP420medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.21%
11.2th percentile
Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | < 2.9.51 | 2.9.51 |
| canonical | juju | >= 3.1.0 < 3.1.10 | 3.1.10 |
| canonical | juju | 3.2.0 – 3.2.4 | — |
| canonical | juju | >= 3.3 < 3.3.7 | 3.3.7 |
| canonical | juju | >= 3.4 < 3.4.6 | 3.4.6 |
| canonical | juju | >= 3.5.0 < 3.5.4 | 3.5.4 |
| canonical_ltd | juju | >= 2.9 < 2.9.51 | 2.9.51 |
| canonical_ltd | juju | >= 3.1 < 3.1.10 | 3.1.10 |
| canonical_ltd | juju | >= 3.3 < 3.3.7 | 3.3.7 |
| canonical_ltd | juju | >= 3.4 < 3.4.6 | 3.4.6 |
| canonical_ltd | juju | >= 3.5 < 3.5.4 | 3.5.4 |
| github.com | juju_juju | >= 0 < 0.0.0-20240829052008-43f0fc59790d | 0.0.0-20240829052008-43f0fc59790d |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju
osv·2024-10-09
CVE-2024-8038 Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju
Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju
Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/juju/juju before v0.0.0-20240829052008-43f0fc59790d.
GHSA
Vulnerable juju introspection abstract UNIX domain socket
ghsa·2024-10-03
CVE-2024-8038 [MEDIUM] Vulnerable juju introspection abstract UNIX domain socket
Vulnerable juju introspection abstract UNIX domain socket
### Impact
An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.
On a juju controller agent, denial of service can be performed by using the `/leases/revoke` endpoint. Revoking leases in juju can cause availability issues.
On a juju machine agent that is hosting units, disabling the unit component can be performed using the `/units` endpoint with a "stop" action.
### Patches
Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
Patched in:
- 3.5.4
- 3.4.6
- 3.3.7
- 3.1.10
- 2.9.51
### Workarounds
No workaround.
### References
https://github.com/juju/juju/blob/7
OSV
Vulnerable juju introspection abstract UNIX domain socket
osv·2024-10-03
CVE-2024-8038 [MEDIUM] Vulnerable juju introspection abstract UNIX domain socket
Vulnerable juju introspection abstract UNIX domain socket
### Impact
An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.
On a juju controller agent, denial of service can be performed by using the `/leases/revoke` endpoint. Revoking leases in juju can cause availability issues.
On a juju machine agent that is hosting units, disabling the unit component can be performed using the `/units` endpoint with a "stop" action.
### Patches
Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
Patched in:
- 3.5.4
- 3.4.6
- 3.3.7
- 3.1.10
- 2.9.51
### Workarounds
No workaround.
### References
https://github.com/juju/juju/blob/7
No detection rules found.
No public exploits indexed.
2024-10-02
Published