Skip to content

x/vulndb: potential Go vuln in github.com/juju/juju: GHSA-6vjm-54vp-mxhx #3040

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Aug 5, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/juju/juju: GHSA-6vjm-54vp-mxhx #3040

GoVulnBot opened this issue Aug 5, 2024 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-6vjm-54vp-mxhx references a vulnerability in the following Go modules:

Module
github.com/juju/juju

Description:
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm. A potential exploit where a user can run a bash loop attempting to execute hook tools. If running while another hook is executing, we log an error with the context ID, making it possible for the user to then use that ID in a following call successfully. This means an unprivileged user can access anything available via a hook tool such as config, relation data and secrets.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/juju/juju
      non_go_versions:
        - fixed: 2.9.50
        - introduced: 3.0.0
        - fixed: 3.1.9
        - introduced: 3.2.0
        - fixed: 3.3.6
        - introduced: 3.4.0
        - fixed: 3.4.5
        - introduced: 3.5.0
        - fixed: 3.5.3
      vulnerable_at: 0.0.0-20240805113408-a5b7f6ec8204
summary: |-
    Juju's unprivileged user running on charm node can leak any secret or relation
    data accessible to the local charm in github.com/juju/juju
ghsas:
    - GHSA-6vjm-54vp-mxhx
references:
    - advisory: https://github.com/advisories/GHSA-6vjm-54vp-mxhx
    - advisory: https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx
    - fix: https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-6984
source:
    id: GHSA-6vjm-54vp-mxhx
    created: 2024-08-05T18:01:32.513682524Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

This was referenced Oct 2, 2024
Closed
Closed
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 22, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot