Vulnerabilites related to canonical - juju
CVE-2024-6984 (GCVE-0-2024-6984)
Vulnerability from cvelistv5
Published
2024-07-29 14:04
Modified
2024-08-01 21:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Summary
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | Juju |
Version: 3.5 ≤ Version: 3.4 ≤ Version: 3.3 ≤ Version: 3.1 ≤ Version: 2.9 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "juju",
"vendor": "canonical",
"versions": [
{
"lessThan": "2.9.50",
"status": "affected",
"version": "2.9",
"versionType": "semver"
},
{
"lessThan": "3.1.9",
"status": "affected",
"version": "3.1",
"versionType": "custom"
},
{
"lessThan": "3.3.5",
"status": "affected",
"version": "3.3",
"versionType": "custom"
},
{
"lessThan": "3.4.5",
"status": "affected",
"version": "3.4",
"versionType": "custom"
},
{
"lessThan": "3.5.3",
"status": "affected",
"version": "3.5",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T14:37:36.928450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T14:41:50.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux",
"MacOS",
"Windows"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "3.5.3",
"status": "affected",
"version": "3.5",
"versionType": "semver"
},
{
"lessThan": "3.4.5",
"status": "affected",
"version": "3.4",
"versionType": "semver"
},
{
"lessThan": "3.3.5",
"status": "affected",
"version": "3.3",
"versionType": "semver"
},
{
"lessThan": "3.1.9",
"status": "affected",
"version": "3.1",
"versionType": "semver"
},
{
"lessThan": "2.9.50",
"status": "affected",
"version": "2.9",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Valverde Guimaraes"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joe Phillips"
},
{
"lang": "en",
"type": "coordinator",
"value": "Mark Esler"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T14:04:05.925Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-6984",
"datePublished": "2024-07-29T14:04:05.925Z",
"dateReserved": "2024-07-22T21:29:24.954Z",
"dateUpdated": "2024-08-01T21:45:38.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0928 (GCVE-0-2025-0928)
Vulnerability from cvelistv5
Published
2025-07-08 17:20
Modified
2025-07-08 17:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0928",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T17:35:31.515571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T17:36:20.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://juju.is/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.9.52",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution."
}
],
"value": "In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A malicious agent binary could be leveraged to achieve remote code execution on newly provisioned or upgraded machines."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T17:20:04.608Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Arbitrary executable upload via authenticated endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-0928",
"datePublished": "2025-07-08T17:20:04.608Z",
"dateReserved": "2025-01-31T10:43:45.458Z",
"dateUpdated": "2025-07-08T17:36:20.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53512 (GCVE-0-2025-53512)
Vulnerability from cvelistv5
Published
2025-07-08 16:47
Modified
2025-07-08 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53512",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T19:09:11.652417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T19:09:24.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://juju.is/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.9.52",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Any user with a Juju account on a controller could read debug log messages from the /log endpoint."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:47:44.427Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63"
}
],
"source": {
"advisory": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63",
"discovery": "INTERNAL"
},
"title": "Sensitive log retrieval in Juju"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-53512",
"datePublished": "2025-07-08T16:47:44.427Z",
"dateReserved": "2025-07-02T08:52:42.036Z",
"dateUpdated": "2025-07-08T19:09:24.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9232 (GCVE-0-2017-9232)
Vulnerability from cvelistv5
Published
2017-05-28 00:00
Modified
2024-08-05 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:02:44.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/juju/+bug/1682411"
},
{
"name": "44023",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44023/"
},
{
"name": "98737",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98737"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-05-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-14T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/juju/+bug/1682411"
},
{
"name": "44023",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44023/"
},
{
"name": "98737",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98737"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.launchpad.net/juju/+bug/1682411",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/juju/+bug/1682411"
},
{
"name": "44023",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44023/"
},
{
"name": "98737",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98737"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9232",
"datePublished": "2017-05-28T00:00:00",
"dateReserved": "2017-05-24T00:00:00",
"dateUpdated": "2024-08-05T17:02:44.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53513 (GCVE-0-2025-53513)
Vulnerability from cvelistv5
Published
2025-07-08 16:57
Modified
2025-07-09 14:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-24 - Path Traversal: '../filedir'
Summary
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53513",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T14:00:06.132356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T14:00:10.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://juju.is/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.9.52",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.8",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A charm that exploits a Zip Slip vulnerability may be used to gain access to a machine running a unit that uses the affected charm."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:57:06.351Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
}
],
"source": {
"advisory": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8",
"discovery": "INTERNAL"
},
"title": "Zip slip vulnerability in Juju"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-53513",
"datePublished": "2025-07-08T16:57:06.351Z",
"dateReserved": "2025-07-02T08:52:42.037Z",
"dateUpdated": "2025-07-09T14:00:10.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1316 (GCVE-0-2015-1316)
Vulnerability from cvelistv5
Published
2019-04-22 15:35
Modified
2024-09-16 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Unsafe default behaviour exposed private credentials.
Summary
Juju Core's Joyent provider before version 1.25.5 uploads the user's private ssh key.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:40:18.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Juju",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.25.5",
"status": "affected",
"version": "Juju Core",
"versionType": "custom"
}
]
}
],
"datePublic": "2015-01-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Juju Core\u0027s Joyent provider before version 1.25.5 uploads the user\u0027s private ssh key."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unsafe default behaviour exposed private credentials.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/juju-core/+bug/1415671"
],
"discovery": "UNKNOWN"
},
"title": "Juju Joyent provider uploads user\u0027s private ssh key by default",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2015-01-28T00:00:00.000Z",
"ID": "CVE-2015-1316",
"STATE": "PUBLIC",
"TITLE": "Juju Joyent provider uploads user\u0027s private ssh key by default"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Juju",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "Juju Core",
"version_value": "1.25.5"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Juju Core\u0027s Joyent provider before version 1.25.5 uploads the user\u0027s private ssh key."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unsafe default behaviour exposed private credentials."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119",
"refsource": "MISC",
"url": "http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/juju-core/+bug/1415671"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2015-1316",
"datePublished": "2019-04-22T15:35:59.130598Z",
"dateReserved": "2015-01-22T00:00:00",
"dateUpdated": "2024-09-16T19:30:31.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2017-05-28 00:29
Modified
2025-04-20 01:37
Severity ?
Summary
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/98737 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://bugs.launchpad.net/juju/+bug/1682411 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/44023/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/98737 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.launchpad.net/juju/+bug/1682411 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/44023/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | juju | * | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.0 | |
| canonical | juju | 2.0.1 | |
| canonical | juju | 2.0.2 | |
| canonical | juju | 2.0.3 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.0 | |
| canonical | juju | 2.1.1 | |
| canonical | juju | 2.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C5BE220-6F58-4812-AFE3-8D9793A028C7",
"versionEndIncluding": "1.25.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3A30AAA0-79D7-43EE-9000-E29D239C1423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "B3613737-D975-4218-8D2D-9C5F30A095D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "68BF4E5A-F8D9-4597-8920-5D8DB5C72DD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "0496CF96-517D-4A42-9393-09D926225CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta10:*:*:*:*:*:*",
"matchCriteriaId": "BA0DAA36-CE44-4615-AAF5-3DAF3C032C5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta11:*:*:*:*:*:*",
"matchCriteriaId": "9B63B060-8DBF-4FC8-86C4-E2B92F83EEC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta12:*:*:*:*:*:*",
"matchCriteriaId": "F0CCD5D2-9A6C-47D0-A6CA-33CE5A8130DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta13:*:*:*:*:*:*",
"matchCriteriaId": "C66EE5F7-A693-4F40-8CE5-319F107F9D0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta14:*:*:*:*:*:*",
"matchCriteriaId": "8B840808-BB6D-4BD9-9C05-553CC2222529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta15:*:*:*:*:*:*",
"matchCriteriaId": "55F73215-B61E-46C0-A599-6BA11D047F12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta16:*:*:*:*:*:*",
"matchCriteriaId": "E7078C20-1D6C-4DE9-A87F-16724AD9D22D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta17:*:*:*:*:*:*",
"matchCriteriaId": "4491F701-66AC-40FC-9F6D-7F0DD91F298E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta18:*:*:*:*:*:*",
"matchCriteriaId": "702884F5-D423-4858-AFED-DB3D039FEAD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "4C983D9C-0513-426C-B229-2436C5F59608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "C76E9506-8AD7-4ED3-9BEF-7161F4A4E552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "2763A2A8-8513-4DF1-B8BA-067E108F4C65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "B397B007-DB41-4A83-BDF1-5B8B9C4CB3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "5363F3FA-92F7-4338-ACA4-F618009B64ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "E321CBD7-2A89-4AC2-929E-3E998C5C2750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "21765F6B-9EA8-4829-A055-8116E66CF05E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "FEA1FDE5-1774-43F3-822D-D7103108C6AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "647A7889-D988-44F2-8ECD-8D33D7EEAE9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "11D7D143-38AA-4E15-9713-0D7964331E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "D17D297F-6B0D-463A-ABB9-4AF1A9E35C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DF58D367-DC9A-4F83-AF4E-9127BF59833A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "31B341AD-40F8-438B-94E2-638E9AED6759",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "627F7445-CCEE-4839-BDBB-B65942485DFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A801D43-DF2A-4708-8F62-05BF8D6E6E83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "E6B28B60-ECE2-4580-91C3-A45C01E6826D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C90BD36D-F23C-4A6A-A6BE-70C662462F12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "6CB9B0F1-9164-4256-96FB-23226A97F03A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "472C690A-FD1E-4799-BCA5-844FD48D40C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "161DE2C5-FB64-4761-AEC5-2AAE3330497F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C9BB6B17-6554-42CF-9D8A-DCAD0DB8E932",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "C3CBB12D-4222-464B-AB93-1EE721A4A08E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D6E57E-7903-41C1-B492-E496C6E269DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D416EFEF-81D6-4851-B297-6C8DACDBA60C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root."
},
{
"lang": "es",
"value": "Juju anterior a versi\u00f3n 1.25.12, versiones 2.0.x anteriores a 2.0.4 y versiones 2.1.x anteriores a 2.1.3, utiliza un socket de dominio UNIX sin establecer los permisos apropiados, lo que permite la escalada de privilegios a root por parte de los usuarios del sistema."
}
],
"id": "CVE-2017-9232",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-28T00:29:00.453",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98737"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/juju/+bug/1682411"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/44023/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98737"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/juju/+bug/1682411"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/44023/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-22 16:29
Modified
2024-11-21 02:25
Severity ?
6.4 (Medium) - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Juju Core's Joyent provider before version 1.25.5 uploads the user's private ssh key.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@ubuntu.com | http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119 | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67421A34-38CE-4949-8256-6278D2C82583",
"versionEndExcluding": "1.25.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Juju Core\u0027s Joyent provider before version 1.25.5 uploads the user\u0027s private ssh key."
},
{
"lang": "es",
"value": "El proveedor de Joyent de Juju Core antes de la versi\u00f3n 1.25.5 carga la clave ssh privada del usuario."
}
],
"id": "CVE-2015-1316",
"lastModified": "2024-11-21T02:25:09.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T16:29:00.647",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "http://bazaar.launchpad.net/~juju-core/juju-core/trunk/revision/4119"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-320"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-29 14:15
Modified
2024-11-21 09:50
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
3.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
3.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A53137FD-EC95-4BB0-87AE-5265D8B20C44",
"versionEndExcluding": "2.9.50",
"versionStartIncluding": "2.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4492C790-2A93-4532-8BBA-FAAABE094605",
"versionEndExcluding": "3.1.9",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2411D179-5948-4695-8774-3FB037530AC2",
"versionEndExcluding": "3.3.6",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63C146EF-AF30-4A6E-97A5-11C387534EA2",
"versionEndExcluding": "3.4.5",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34FB1891-C153-4F19-8C3B-F2332BF21D7B",
"versionEndExcluding": "3.5.3",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm."
},
{
"lang": "es",
"value": " Se descubri\u00f3 un problema en Juju que result\u00f3 en la filtraci\u00f3n del ID de contexto confidencial, que permite a un atacante local sin privilegios acceder a otros datos o relaciones confidenciales accesibles al acceso local."
}
],
"id": "CVE-2024-6984",
"lastModified": "2024-11-21T09:50:41.767",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-29T14:15:04.477",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch"
],
"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2"
},
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx"
},
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}