FKIE_CVE-2024-41129

Vulnerability from fkie_nvd - Published: 2024-07-22 15:15 - Updated: 2024-11-21 09:32
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.
References
security-advisories@github.comhttps://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
security-advisories@github.comhttps://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
af854a3a-2127-422b-91ae-364da2661108https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61
af854a3a-2127-422b-91ae-364da2661108https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (\u003e=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0."
    },
    {
      "lang": "es",
      "value": "La librer\u00eda ops es un framework de Python para desarrollar y probar Kubernetes y accesos a m\u00e1quinas. El problema aqu\u00ed es que ops pasa el contenido secreto como uno de los argumentos a trav\u00e9s de CLI. Este problema puede afectar cualquiera de los accesos que est\u00e1n usando: Juju (\u0026gt;=3.0), Juju secrets y no capturen ni procesen correctamente `subprocess.CalledProcessError`. Esta vulnerabilidad se solucion\u00f3 en 2.15.0."
    }
  ],
  "id": "CVE-2024-41129",
  "lastModified": "2024-11-21T09:32:17.440",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-22T15:15:03.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.