CVE-2024-41129 - Vulnerability Details - OpenCVE

The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-2360	The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.
Github GHSA	GHSA-hcmv-jmqh-fjgm	ops leaking secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-22T14:20:08.920Z

Updated: 2024-08-02T04:46:52.414Z

Reserved: 2024-07-15T15:53:28.324Z

Link: CVE-2024-41129

Vulnrichment

Updated: 2024-08-02T04:46:52.414Z

NVD

Status : Awaiting Analysis

Published: 2024-07-22T15:15:03.710

Modified: 2024-11-21T09:32:17.440

Link: CVE-2024-41129

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.324Z", "datePublished": "2024-07-22T14:20:08.920Z", "dateUpdated": "2024-08-02T04:46:52.414Z"}, "containers": {"cna": {"title": "The ops library leaks secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm"}, {"name": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61", "tags": ["x_refsource_MISC"], "url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61"}], "affected": [{"vendor": "canonical", "product": "operator", "versions": [{"version": ">= 2.0.0, < 2.15.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T14:20:08.920Z"}, "descriptions": [{"lang": "en", "value": "The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0."}], "source": {"advisory": "GHSA-hcmv-jmqh-fjgm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-22T19:43:49.019092Z", "id": "CVE-2024-41129", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T16:08:06.843Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.414Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm"}, {"name": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm", "name": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61", "name": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.414Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41129", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-22T19:43:49.019092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T20:48:06.056Z"}}], "cna": {"title": "The ops library leaks secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command", "source": {"advisory": "GHSA-hcmv-jmqh-fjgm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "canonical", "product": "operator", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.15.0"}]}], "references": [{"url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm", "name": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61", "name": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T14:20:08.920Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41129", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:46:52.414Z", "dateReserved": "2024-07-15T15:53:28.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-22T14:20:08.920Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0."}, {"lang": "es", "value": "La librer\u00eda ops es un framework de Python para desarrollar y probar Kubernetes y accesos a m\u00e1quinas. El problema aqu\u00ed es que ops pasa el contenido secreto como uno de los argumentos a trav\u00e9s de CLI. Este problema puede afectar cualquiera de los accesos que est\u00e1n usando: Juju (>=3.0), Juju secrets y no capturen ni procesen correctamente `subprocess.CalledProcessError`. Esta vulnerabilidad se solucion\u00f3 en 2.15.0."}], "id": "CVE-2024-41129", "lastModified": "2024-11-21T09:32:17.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-22T15:15:03.710", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61"}, {"source": "security-advisories@github.com", "url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}