search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 62 forks source link

x/vulndb: potential Go vuln in github.com/juju/juju: GHSA-phh4-3hmm-24rx #3178

Closed GoVulnBot closed 1 month ago

GoVulnBot commented 2 months ago

Advisory GHSA-phh4-3hmm-24rx references a vulnerability in the following Go modules:

Module
github.com/juju/juju

Description:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mh98-763h-m9v4. This link is maintained to preserve external references.

Original Description

JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/juju/juju
      versions:
        - fixed: 0.0.0-20241001032836-2af7bd8e310b
summary: 'Duplicate Advisory: Juju makes Use of Weak Credentials in github.com/juju/juju'
ghsas:
    - GHSA-phh4-3hmm-24rx
references:
    - advisory: https://github.com/advisories/GHSA-phh4-3hmm-24rx
    - web: https://github.com/juju/juju/security/advisories/GHSA-mh98-763h-m9v4
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-7558
    - web: https://www.cve.org/CVERecord?id=CVE-2024-7558
notes:
    - fix: 'github.com/juju/juju: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-phh4-3hmm-24rx
    created: 2024-10-02T22:01:22.289881393Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/619155 mentions this issue: data/excluded: add 3 reports