Vulnerability Name:

CVE-2017-9232

Assigned:2017-05-24
Published:2017-05-26
Updated:2018-02-14
Summary:Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.
CVSS v3 Severity:9.8 Critical (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-264
References:Source: BID
Type: VENDOR_ADVISORY
98737

Source: CONFIRM
Type: VENDOR_ADVISORY
https://bugs.launchpad.net/juju/+bug/1682411

Source: XF
Type: UNKNOWN
juju-cve20179232-priv-esc(128401)

Source: EXPLOIT-DB
Type: UNKNOWN
44023

Vulnerable Configuration:Configuration 1:
  • cpe:/a:canonical:juju:1.25.12:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:alpha1:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:alpha2:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta10:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta11:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta12:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta13:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta14:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta15:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta16:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta17:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta18:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta4:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta5:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta6:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta7:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta8:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:beta9:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:beta4:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:beta5:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:juju:2.1.2:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:20179232000
    V
    CVE-2017-9232 on Ubuntu 16.04 LTS (xenial) - high.
    2017-05-27
    oval:com.ubuntu.trusty:def:20179232000
    V
    CVE-2017-9232 on Ubuntu 14.04 LTS (trusty) - high.
    2017-05-27
    BACK
    canonical juju 1.25.12
    canonical juju 2.0.0
    canonical juju 2.0.0 alpha1
    canonical juju 2.0.0 alpha2
    canonical juju 2.0.0 beta1
    canonical juju 2.0.0 beta10
    canonical juju 2.0.0 beta11
    canonical juju 2.0.0 beta12
    canonical juju 2.0.0 beta13
    canonical juju 2.0.0 beta14
    canonical juju 2.0.0 beta15
    canonical juju 2.0.0 beta16
    canonical juju 2.0.0 beta17
    canonical juju 2.0.0 beta18
    canonical juju 2.0.0 beta2
    canonical juju 2.0.0 beta3
    canonical juju 2.0.0 beta4
    canonical juju 2.0.0 beta5
    canonical juju 2.0.0 beta6
    canonical juju 2.0.0 beta7
    canonical juju 2.0.0 beta8
    canonical juju 2.0.0 beta9
    canonical juju 2.0.0 rc1
    canonical juju 2.0.0 rc2
    canonical juju 2.0.0 rc3
    canonical juju 2.0.1
    canonical juju 2.0.2
    canonical juju 2.0.3
    canonical juju 2.1.0
    canonical juju 2.1.0 beta1
    canonical juju 2.1.0 beta2
    canonical juju 2.1.0 beta3
    canonical juju 2.1.0 beta4
    canonical juju 2.1.0 beta5
    canonical juju 2.1.0 rc1
    canonical juju 2.1.0 rc2
    canonical juju 2.1.1
    canonical juju 2.1.2