Phvalguima

Name of the Vulnerable Software and Affected Versions: juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4 Description: The juju hook tool's abstract UNIX domain socket is vulnerable. When combined with an attack of `JUJU CONTEXT ID`, any user on the local system with access to the default network namespace may connect to the `/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket` and perform actions that are normally reserved to a juju charm. Recommendations: For versions prior to 2.9.51, update to version 2.9.51 or later. For versions prior to 3.1.10, update to version 3.1.10 or later. For versions prior to 3.3.7, update to version 3.3.7 or later. For versions prior to 3.4.6, update to version 3.4.6 or later. For versions prior to 3.5.4, update to version 3.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** ops versions prior to 2.15.0 **Description** The issue arises from the ops library passing secret content as an argument via the command-line interface (CLI). This may affect charms using Juju (>=3.0) and Juju secrets, particularly if they do not correctly capture and process `subprocess.CalledProcessError`. The vulnerability could lead to the exposure of secrets, such as private keys and passwords, through logs or other means, potentially allowing an attacker to gain privileged access. **Recommendations** To resolve the issue, update to version 2.15.0 or later. As a temporary workaround, consider implementing one of the suggested mitigation strategies, such as redacting secret arguments from logs, using temporary files for secrets, or passing secrets through stdin if supported by the secret commands. Restrict access to logs and ensure proper handling of `subprocess.CalledProcessError` to minimize the risk of secret exposure.