CVE-2024-8037

Published: Oct 2, 2024Modified: Aug 26, 2025

6.5

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

Exploitability: 1.0 / Impact: 5.5

Source: security@ubuntu.com (Secondary)

Description

Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.

Affected (6)

Products: Canonical: Juju

Canonical

1 product

Juju

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Canonical Juju	Before 2.9.51
Canonical Juju	From 3.1.0 to 3.1.10
Canonical Juju	From 3.2.0 to 3.2.4
Canonical Juju	From 3.3.0 to 3.3.7
Canonical Juju	From 3.4 to 3.4.6
Canonical Juju	From 3.5.0 to 3.5.4

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (2)

https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x

Source: security@ubuntu.com

PatchVendor Advisory

https://www.cve.org/CVERecord?id=CVE-2024-8037

Source: security@ubuntu.com

Third Party Advisory

Timeline

No history available yet.