CVE-2024-41129

Name of the Vulnerable Software and Affected Versions ops versions prior to 2.15.0

Description The issue arises from the ops library passing secret content as an argument via the command-line interface (CLI). This may affect charms using Juju (>=3.0) and Juju secrets, particularly if they do not correctly capture and process subprocess.CalledProcessError. The vulnerability could lead to the exposure of secrets, such as private keys and passwords, through logs or other means, potentially allowing an attacker to gain privileged access.

Recommendations To resolve the issue, update to version 2.15.0 or later. As a temporary workaround, consider implementing one of the suggested mitigation strategies, such as redacting secret arguments from logs, using temporary files for secrets, or passing secrets through stdin if supported by the secret commands. Restrict access to logs and ensure proper handling of subprocess.CalledProcessError to minimize the risk of secret exposure.