Miggo Logo
Miggo Vulnerability Database
GHSA-phh4-3hmm-24rx

GHSA-phh4-3hmm-24rx: Duplicate Advisory: Juju makes Use of Weak Credentials

8.7

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-phh4-3hmm-24rx
EPSS Score
-
CWE
CWE-1391
Published
10/2/2024
Updated
10/2/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/juju/jujugo< 0.0.0-20241001032836-2af7bd8e310b0.0.0-20241001032836-2af7bd8e310b

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions:

  1. NewContextFactory initializes a predictable random number generator using math/rand with time.Now().Unix() seed
  2. createContextID uses this weak RNG to generate the JUJU_CONTEXT_ID credential These functions would appear in profiler traces when generating/validating charm context IDs. The advisory's code references and PoC both directly implicate these functions as the source of credential predictability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-m***-****-m*v*. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription JUJU_*ONT*XT_I* is * pr**i*t**l* *ut**nti**tion s**r*t. On * Ju

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. N*w*ont*xt***tory initi*liz*s * pr**i*t**l* r*n*om num**r **n*r*tor usin* m*t*/r*n* wit* tim*.Now().Unix() s*** *. *r**t**ont*xtI* us*s t*is w**k RN* to **n*r*t* t** JUJU_*ONT*XT_I* *r***nti*l T**s*
GHSA-phh4-3hmm-24rx: Juju Context ID Auth Bypass | Miggo