CVE-2024-41129

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-41129

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41129.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-41129

Aliases

GHSA-hcmv-jmqh-fjgm

Published

2024-07-22T14:20:08Z

Modified

2025-10-22T18:42:54.882511Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

The ops library leaks secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command

Details

The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing subprocess.CalledProcessError. This vulnerability is fixed in 2.15.0.

Database specific

{
    "cwe_ids": [
        "CWE-532"
    ]
}

References

Affected packages

Git / github.com/canonical/operator

Affected ranges

Type: GIT
Repo: https://github.com/canonical/operator
Events: Introduced

b5cde989deb7217c50315191e18fe6dec33eddb4

Fixed

d46f7e960e79acc478a6e6741e4f307013b9e89b

Affected versions

2.*

2.0.0

2.0.0rc2

2.1.0

2.1.1

2.10.0

2.11.0

2.12.0

2.13.0

2.14.0

2.14.1

2.2.0

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0