CVE-2024-8037

Summary

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.

Affected Software

VendorProductVersion RangeStatus
Canonical Ltd.Juju3.5 < 3.5.4affected
Canonical Ltd.Juju3.4 < 3.4.6affected
Canonical Ltd.Juju3.3 < 3.3.7affected
Canonical Ltd.Juju3.1 < 3.1.10affected
Canonical Ltd.Juju2.9 < 2.9.51affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References