GHSA-phh4-3hmm-24rx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-phh4-3hmm-24rx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-phh4-3hmm-24rx/GHSA-phh4-3hmm-24rx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-phh4-3hmm-24rx
- Withdrawn
- 2024-10-02T21:55:42Z
- Published
- 2024-10-02T12:30:33Z
- Modified
- 2024-10-02T21:55:42Z
- Severity
-
- 8.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H CVSS Calculator
- Summary
- Duplicate Advisory: Juju makes Use of Weak Credentials
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mh98-763h-m9v4. This link is maintained to preserve external references.
Original Description
JUJUCONTEXTID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJUCONTEXTID value. This gives the unprivileged user access to the same information and tools as the Juju charm.
- Database specific
{ "nvd_published_at": "2024-10-02T11:15:11Z", "cwe_ids": [ "CWE-1391" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-10-02T21:55:42Z" }- References
Affected packages
Go / github.com/juju/juju
Package
- Name
- github.com/juju/juju
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/juju/juju