GHSA-xwgj-vpm9-q2rq

Suggest an improvement
Source
https://github.com/advisories/GHSA-xwgj-vpm9-q2rq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-xwgj-vpm9-q2rq/GHSA-xwgj-vpm9-q2rq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xwgj-vpm9-q2rq
Aliases
Published
2024-10-03T16:53:26Z
Modified
2024-10-09T22:49:20Z
Severity
  • 7.9 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H CVSS Calculator
  • 6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:H/SA:H CVSS Calculator
Summary
Vulnerable juju introspection abstract UNIX domain socket
Details

Impact

An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.

On a juju controller agent, denial of service can be performed by using the /leases/revoke endpoint. Revoking leases in juju can cause availability issues.

On a juju machine agent that is hosting units, disabling the unit component can be performed using the /units endpoint with a "stop" action.

Patches

Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b Patched in: - 3.5.4 - 3.4.6 - 3.3.7 - 3.1.10 - 2.9.51

Workarounds

No workaround.

References

https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125

Database specific 
{
    "github_reviewed_at": "2024-10-03T16:53:26Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Go / github.com/juju/juju

Package

Name
github.com/juju/juju
View open source insights on deps.dev
Purl
pkg:golang/github.com/juju/juju

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20240829052008-43f0fc59790d