Description
Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High
Affected products
- Canonical Ltd. / Juju3.5 – 3.5.4
- Canonical Ltd. / Juju3.4 – 3.4.6
- Canonical Ltd. / Juju3.3 – 3.3.7
- Canonical Ltd. / Juju3.1 – 3.1.10
- Canonical Ltd. / Juju2.9 – 2.9.51