关键信息 CVE-2024-8037 CNA: Canonical Ltd. Published: 2024-10-02 Updated: 2024-10-02 Description Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm. CVSS Score: 6.5 Severity: MEDIUM Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H Product Status Vendor: Canonical Ltd. Product: Juju Platforms: Linux Affected Versions 3.5 before 3.5.4 3.4 before 3.4.6 3.3 before 3.3.7 3.1 before 3.1.10 2.9 before 2.9.51 Credits Pedro Guimaraes: finder Harry Pidcock: remediation developer Mark Esler: coordinator References GitHub CVE Record Authorized Data Publishers CISA-ADP Additional Information Policies & Cookies: Terms of Use, Website Security Policy, Privacy Policy, Cookie Notice, Manage Cookies Media: News, Blogs, Podcasts, Email newsletter sign up Social Media: Twitter, LinkedIn, Instagram, YouTube, Spotify Contact: CVE Program Support, CNA Partners, CVE Website Support, CVE Program Idea Tracker Summary This CVE record details a vulnerability in the Juju tool, affecting versions from 3.5 before 3.5.4, 3.4 before 3.4.6, 3.3 before 3.3.7, 3.1 before 3.1.10, and 2.9 before 2.9.51. The vulnerability allows any user with access to the default network namespace to perform actions reserved to a juju charm. The CVSS score is 6.5, indicating a medium severity.