Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/juju/juju
  4. ›
  5. CVE-2024-8038

CVE-2024-8038: Vulnerable juju introspection abstract UNIX domain socket

October 3, 2024 (updated October 9, 2024)

An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.

On a juju controller agent, denial of service can be performed by using the /leases/revoke endpoint. Revoking leases in juju can cause availability issues.

On a juju machine agent that is hosting units, disabling the unit component can be performed using the /units endpoint with a “stop” action.

References

  • github.com/advisories/GHSA-xwgj-vpm9-q2rq
  • github.com/juju/juju
  • github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go
  • github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
  • github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq
  • nvd.nist.gov/vuln/detail/CVE-2024-8038
  • pkg.go.dev/vuln/GO-2024-3175

Code Behaviors & Features

Detect and mitigate CVE-2024-8038 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.0.0-20240829052008-43f0fc59790d

Fixed versions

  • 0.0.0-20240829052008-43f0fc59790d

Solution

Upgrade to version 0.0.0-20240829052008-43f0fc59790d or above.

Impact 7.9 HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

Learn more about CVSS

Source file

go/github.com/juju/juju/CVE-2024-8038.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:08 +0000.