CVE-2024-41129
4.4
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing subprocess.CalledProcessError. This vulnerability is fixed in 2.15.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| canonical | operator | >= 2.0.0, < 2.15.0 | affected |
Weaknesses
- CWE-532: CWE-532: Insertion of Sensitive Information into Log File
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
- https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
References
- https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
- https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.