CVE-2024-6984 - Vulnerability Details - OpenCVE

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Juju

Configuration 1 [-]

OR	cpe:2.3:a:canonical:juju::::::::
	cpe:2.3:a:canonical:juju::::::::
	cpe:2.3:a:canonical:juju::::::::
	cpe:2.3:a:canonical:juju::::::::
	cpe:2.3:a:canonical:juju::::::::

No data.

References

Link	Providers
https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2
https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx
https://www.cve.org/CVERecord?id=CVE-2024-6984

History

Wed, 11 Sep 2024 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canonical Canonical juju
CPEs		cpe:2.3:a:canonical:juju::::::::
Vendors & Products		Canonical Canonical juju

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2024-07-29T14:04:05.925Z

Updated: 2024-08-01T21:45:38.419Z

Reserved: 2024-07-22T21:29:24.954Z

Link: CVE-2024-6984

Vulnrichment

Updated: 2024-08-01T21:45:38.419Z

NVD

Status : Modified

Published: 2024-07-29T14:15:04.477

Modified: 2024-11-21T09:50:41.767

Link: CVE-2024-6984

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6984", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2024-07-22T21:29:24.954Z", "datePublished": "2024-07-29T14:04:05.925Z", "dateUpdated": "2024-08-01T21:45:38.419Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "affected": [{"vendor": "Canonical Ltd.", "product": "Juju", "platforms": ["Linux", "MacOS", "Windows"], "packageName": "juju", "repo": "https://github.com/juju/juju", "versions": [{"status": "affected", "version": "3.5", "lessThan": "3.5.3", "versionType": "semver"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.5", "versionType": "semver"}, {"status": "affected", "version": "3.3", "lessThan": "3.3.5", "versionType": "semver"}, {"status": "affected", "version": "3.1", "lessThan": "3.1.9", "versionType": "semver"}, {"status": "affected", "version": "2.9", "lessThan": "2.9.50", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm."}], "references": [{"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2", "tags": ["patch"]}, {"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx", "tags": ["issue-tracking"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984", "tags": ["issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Pedro Valverde Guimaraes", "type": "finder"}, {"lang": "en", "value": "Joe Phillips", "type": "remediation developer"}, {"lang": "en", "value": "Mark Esler", "type": "coordinator"}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-07-29T14:04:05.925Z"}}, "adp": [{"affected": [{"vendor": "canonical", "product": "juju", "cpes": ["cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.9", "status": "affected", "lessThan": "2.9.50", "versionType": "semver"}, {"version": "3.1", "status": "affected", "lessThan": "3.1.9", "versionType": "custom"}, {"version": "3.3", "status": "affected", "lessThan": "3.3.5", "versionType": "custom"}, {"version": "3.4", "status": "affected", "lessThan": "3.4.5", "versionType": "custom"}, {"version": "3.5", "status": "affected", "lessThan": "3.5.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-29T14:37:36.928450Z", "id": "CVE-2024-6984", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T14:41:50.531Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.419Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984", "tags": ["issue-tracking", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984", "tags": ["issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.419Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6984", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-29T14:37:36.928450Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*"], "vendor": "canonical", "product": "juju", "versions": [{"status": "affected", "version": "2.9", "lessThan": "2.9.50", "versionType": "semver"}, {"status": "affected", "version": "3.1", "lessThan": "3.1.9", "versionType": "custom"}, {"status": "affected", "version": "3.3", "lessThan": "3.3.5", "versionType": "custom"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.5", "versionType": "custom"}, {"status": "affected", "version": "3.5", "lessThan": "3.5.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T14:39:25.276Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Pedro Valverde Guimaraes"}, {"lang": "en", "type": "remediation developer", "value": "Joe Phillips"}, {"lang": "en", "type": "coordinator", "value": "Mark Esler"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/juju/juju", "vendor": "Canonical Ltd.", "product": "Juju", "versions": [{"status": "affected", "version": "3.5", "lessThan": "3.5.3", "versionType": "semver"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.5", "versionType": "semver"}, {"status": "affected", "version": "3.3", "lessThan": "3.3.5", "versionType": "semver"}, {"status": "affected", "version": "3.1", "lessThan": "3.1.9", "versionType": "semver"}, {"status": "affected", "version": "2.9", "lessThan": "2.9.50", "versionType": "semver"}], "platforms": ["Linux", "MacOS", "Windows"], "packageName": "juju", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2", "tags": ["patch"]}, {"url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx", "tags": ["issue-tracking"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-6984", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-07-29T14:04:05.925Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6984", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:45:38.419Z", "dateReserved": "2024-07-22T21:29:24.954Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2024-07-29T14:04:05.925Z", "assignerShortName": "canonical"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "A53137FD-EC95-4BB0-87AE-5265D8B20C44", "versionEndExcluding": "2.9.50", "versionStartIncluding": "2.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "4492C790-2A93-4532-8BBA-FAAABE094605", "versionEndExcluding": "3.1.9", "versionStartIncluding": "3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "2411D179-5948-4695-8774-3FB037530AC2", "versionEndExcluding": "3.3.6", "versionStartIncluding": "3.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "63C146EF-AF30-4A6E-97A5-11C387534EA2", "versionEndExcluding": "3.4.5", "versionStartIncluding": "3.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "34FB1891-C153-4F19-8C3B-F2332BF21D7B", "versionEndExcluding": "3.5.3", "versionStartIncluding": "3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm."}, {"lang": "es", "value": " Se descubri\u00f3 un problema en Juju que result\u00f3 en la filtraci\u00f3n del ID de contexto confidencial, que permite a un atacante local sin privilegios acceder a otros datos o relaciones confidenciales accesibles al acceso local."}], "id": "CVE-2024-6984", "lastModified": "2024-11-21T09:50:41.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-29T14:15:04.477", "references": [{"source": "security@ubuntu.com", "tags": ["Patch"], "url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2024-6984"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/juju/juju/commit/da929676853092a29ddf8d589468cf85ba3efaf2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-6vjm-54vp-mxhx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2024-6984"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security@ubuntu.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}