Lucene search
K

149 matches found

OSV
OSV
added 2024/10/03 4:49 p.m.4 views

GHSA-MH98-763H-M9V4 JUJU_CONTEXT_ID is a predictable authentication secret

JUJUCONTEXTID is the authentication measure on the unit hook tool abstract domain socket. It looks like JUJUCONTEXTID=appname/0-update-status-6073989428498739633. This value looks fairly unpredictable, but due to the random source used, it is highly predictable. JUJUCONTEXTID has the following...

8.7CVSS8.3AI score0.00502EPSS
Exploits1References5
NVD
NVD
added 2024/10/02 11:15 a.m.19 views

CVE-2024-7558

JUJUCONTEXTID is a predictable authentication secret. On a Juju machine non-Kubernetes or Juju charm container on Kubernetes, an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJUCONTEXTID value. This gives the unprivileged user access to t...

8.7CVSS0.00502EPSS
Exploits1References2
NVD
NVD
added 2024/10/02 11:15 a.m.28 views

CVE-2024-8037

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJUCONTEXTID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a...

6.5CVSS0.00187EPSS
Exploits0References2
Cvelist
Cvelist
added 2024/10/02 10:12 a.m.35 views

CVE-2024-8037

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJUCONTEXTID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a...

6.5CVSS0.00187EPSS
Exploits0References2
CVE
CVE
added 2024/10/02 10:12 a.m.88 views

CVE-2024-8037

CVE-2024-8037 describes a vulnerability in the juju hook tool where an abstract UNIX domain socket can be misused when JUJU_CONTEXT_ID is present. A local user who can access the default network namespace could connect to the socket at /var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform ...

6.5CVSS6.8AI score0.00187EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2024/10/02 10:6 a.m.6 views

CVE-2024-7558

JUJUCONTEXTID is a predictable authentication secret. On a Juju machine non-Kubernetes or Juju charm container on Kubernetes, an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJUCONTEXTID value. This gives the unprivileged user access to t...

8.7CVSS6.8AI score0.00502EPSS
Exploits1References2
OSV
OSV
added 2024/10/02 10:6 a.m.4 views

CVE-2024-7558

JUJUCONTEXTID is a predictable authentication secret. On a Juju machine non-Kubernetes or Juju charm container on Kubernetes, an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJUCONTEXTID value. This gives the unprivileged user access to t...

8.7CVSS7.1AI score0.00502EPSS
Exploits1References5
CNNVD
CNNVD
added 2024/10/02 12:0 a.m.10 views

Juju 安全漏洞

Juju is an open source application orchestration engine from Canonical Juju Open Source. Juju has a security vulnerability in 该漏洞源于任何有权访问默认网络命名空间的用户都可以连接到@/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and performs operations normally reserved for the juju charm...

6.5CVSS8AI score0.00187EPSS
Exploits0References4
OSV
OSV
added 2024/08/21 3:11 p.m.12 views

GO-2022-0449 Server-Side Request Forgery in charm in github.com/charmbracelet/charm

Server-Side Request Forgery in charm in github.com/charmbracelet/charm...

9.8CVSS9.5AI score0.00745EPSS
Exploits0References3
OSV
OSV
added 2024/08/06 10:3 p.m.25 views

GO-2024-3040 Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm in github.com/juju/juju

Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causi...

8.8CVSS5.8AI score0.00379EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2024/08/05 5:19 p.m.11 views

Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm. A potential exploit where a user can run a bash loop attempting to execute hook tools. If...

8.8CVSS7AI score0.00379EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/07/30 7:39 p.m.12 views

Sensitive Information Exposure

github.com/juju/juju is vulnerable to Sensitive Information Exposure. The vulnerability is due to the leak of the sensitive context ID, allowing a local unprivileged attacker to access other sensitive data or relations accessible to the local charm...

8.8CVSS6.4AI score0.00379EPSS
Exploits1References8Affected Software1
NVD
NVD
added 2024/07/29 2:15 p.m.32 views

CVE-2024-6984

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm...

8.8CVSS0.00379EPSS
Exploits1References3
CVE
CVE
added 2024/07/29 2:4 p.m.49 views

CVE-2024-6984

Summary: CVE-2024-6984 concerns Juju leaking the sensitive context ID, enabling a local unprivileged attacker to access data or relations visible to the local charm. The issue is discussed across multiple sources (NVD, Red Hat, OSV advisories, GHSA, Veracode) and is described as a local leakage v...

8.8CVSS8.4AI score0.00379EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2024/07/22 5:40 p.m.12 views

GHSA-HCMV-JMQH-FJGM ops leaking secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command

Summary The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: Juju =3.0, Juju secrets and not correctly capturing and processing subprocess.CalledProcessError. There are two points that may log this command, in...

6.9CVSS5.2AI score0.00198EPSS
Exploits0References4
Openbugbounty
Openbugbounty
added 2023/09/06 1:57 a.m.11 views

petcharmphoto.com Cross Site Scripting vulnerability OBB-3651157

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

6.1AI score
Exploits0
OSV
OSV
added 2022/08/05 4:15 p.m.3 views

CVE-2022-36836

Unprotected provider vulnerability in Charm by Samsung prior to version 1.2.3 allows attackers to read connection state without permission...

5.5CVSS5.8AI score0.00178EPSS
Exploits0References1
NVD
NVD
added 2022/08/05 4:15 p.m.11 views

CVE-2022-36836

Unprotected provider vulnerability in Charm by Samsung prior to version 1.2.3 allows attackers to read connection state without permission...

6.2CVSS0.00178EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/08/05 4:15 p.m.5 views

CVE-2022-33733

Sensitive information exposure in onCharacteristicRead in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission...

6.2CVSS5.8AI score0.00173EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2022/08/05 4:15 p.m.3 views

CVE-2022-33734

Sensitive information exposure in onCharacteristicChanged in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission...

6.2CVSS5.8AI score0.00178EPSS
Exploits0References3
Rows per page
Query Builder