An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.
On a juju controller agent, denial of service can be performed by using the /leases/revoke
endpoint. Revoking leases in juju can cause availability issues.
On a juju machine agent that is hosting units, disabling the unit component can be performed using the /units
endpoint with a "stop" action.
Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b Patched in: - 3.5.4 - 3.4.6 - 3.3.7 - 3.1.10 - 2.9.51
No workaround.
https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
{ "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2024-10-03T16:53:26Z", "severity": "MODERATE", "cwe_ids": [] }