CVE-2024-7558
02.10.2024, 11:15
JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.
| Vendor | Product | Version |
|---|---|---|
| canonical | juju | 𝑥 < 2.9.51 |
| canonical | juju | 3.1.0 ≤ 𝑥 < 3.1.10 |
| canonical | juju | 3.2.0 ≤ 𝑥 < 3.2.4 |
| canonical | juju | 3.3.0 ≤ 𝑥 < 3.3.7 |
| canonical | juju | 3.4 ≤ 𝑥 < 3.4.6 |
| canonical | juju | 3.5.0 ≤ 𝑥 < 3.5.4 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
- CWE-330 - Use of Insufficiently Random ValuesThe software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.