CVE-2024-6984: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm. The vulnerability affects multiple versions of Juju including 2.9.x, 3.1.x, 3.3.x, 3.4.x, and 3.5.x series, and has been patched in versions 2.9.50, 3.1.9, 3.3.6, 3.4.5, and 3.5.3. This vulnerability was assigned CVE-2024-6984 and was discovered in July 2024 (NVD, GitHub Advisory).

The vulnerability stems from overly broad permissions on /var/lib/juju/ directory and the leakage of sensitive context ID in error messages. When a hook is executing, an unprivileged user can capture the context ID from error messages and use it to access sensitive data. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) by Canonical Ltd., with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue is classified under CWE-209 (Generation of Error Message Containing Sensitive Information) (NVD, GitHub Advisory).

The vulnerability allows local unprivileged users to access sensitive data including secrets, private keys, and relation data accessible to the local charm. A single compromised host in Juju may provide arbitrary access to target applications, potentially enabling privilege abuse and escalation in the environment. The impact is particularly severe as it can expose secrets containing sensitive information of any workloads (GitHub Advisory).

The vulnerability has been patched in multiple versions: 2.9.50, 3.1.9, 3.3.6, 3.4.5, and 3.5.3. The fix involves preventing the leak of JUJUCONTEXTID in error messages and limiting the permissions within /var/lib/juju to root-only access. Users are advised to upgrade to the patched versions (GitHub Advisory, Patch).