CVE-2024-7558

Oct. 4, 2024, 1:50 p.m.

8.7
High

Description

JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.

Product(s) Impacted

Product Versions
Juju
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1391
Use of Weak Credentials
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

References

https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4
https://www.cve.org/CVERecord?id=CVE-2024-7558

Tags

security@ubuntu.com
CWE-1391
2024-10-02
CVE-2024-7558

CVSS Score

8.7 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

    View Vector String

Timeline

Published: Oct. 2, 2024, 11:15 a.m.
Last Modified: Oct. 4, 2024, 1:50 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@ubuntu.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.