x/vulndb: potential Go vuln in github.com/juju/juju: CVE-2024-8037

[GoVulnBot]

Advisory CVE-2024-8037 references a vulnerability in the following Go modules:

Module
github.com/juju/juju

Description:
Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.

References:

• ADVISORY: https://www.cve.org/CVERecord?id=CVE-2024-8037
• WEB: GHSA-8v4w-f4r9-7h6x

Cross references:

• github.com/juju/juju appears in 3 other report(s):
  • data/excluded/GO-2023-1598.yaml (x/vulndb: potential Go vuln in github.com/juju/juju: GHSA-x5rv-w9pm-8qp8 #1598) NOT_IMPORTABLE
  • data/reports/GO-2024-3010.yaml (x/vulndb: potential Go vuln in github.com/juju/juju: CVE-2024-6984 #3010)
  • data/reports/GO-2024-3040.yaml (x/vulndb: potential Go vuln in github.com/juju/juju: GHSA-6vjm-54vp-mxhx #3040)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/juju/juju
      vulnerable_at: 0.0.0-20241001233705-e746c7c7fbf6
summary: CVE-2024-8037 in github.com/juju/juju
cves:
    - CVE-2024-8037
references:
    - advisory: https://www.cve.org/CVERecord?id=CVE-2024-8037
    - web: https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x
source:
    id: CVE-2024-8037
    created: 2024-10-02T12:01:19.859029939Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/619135 mentions this issue: data/reports: add 15 reports