Search criteria
3 vulnerabilities found for juju\/utils by canonical
FKIE_CVE-2025-6224
Vulnerability from fkie_nvd - Published: 2025-07-01 11:15 - Updated: 2025-09-10 16:08
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://github.com/juju/utils/security/advisories/GHSA-h34r-jxqm-qgpr | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | juju\/utils | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:juju\\/utils:*:*:*:*:*:go:*:*",
"matchCriteriaId": "A9C6BB14-8867-4606-9CCB-7EEBC1230202",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it."
},
{
"lang": "es",
"value": "La generaci\u00f3n de certificados en juju/utils mediante la funci\u00f3n cert.NewLeaf podr\u00eda incluir informaci\u00f3n privada. Si este certificado se transfiriera por la red en texto plano, un atacante que escuchara en esa red podr\u00eda rastrearlo y extraer f\u00e1cilmente su clave privada."
}
],
"id": "CVE-2025-6224",
"lastModified": "2025-09-10T16:08:34.040",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-01T11:15:21.770",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/juju/utils/security/advisories/GHSA-h34r-jxqm-qgpr"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
}
]
}
CVE-2025-6224 (GCVE-0-2025-6224)
Vulnerability from cvelistv5 – Published: 2025-07-01 10:39 – Updated: 2025-07-01 14:30
VLAI?
Summary
Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it.
Severity ?
6.5 (Medium)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Juju utils |
Affected:
4.0.1 , ≤ 4.0.3
(semver)
|
Credits
Josh McSavaney
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T14:30:33.241503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T14:30:51.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "juju utils",
"platforms": [
"Linux"
],
"product": "Juju utils",
"repo": "https://github.com/juju/utils",
"vendor": "Canonical",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "4.0.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Josh McSavaney"
}
],
"datePublic": "2025-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T10:39:34.322Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/utils/security/advisories/GHSA-h34r-jxqm-qgpr"
}
],
"source": {
"advisory": "https://github.com/juju/utils/security/advisories/GHSA-h34r-jxqm-qgpr",
"discovery": "EXTERNAL"
},
"title": "Key leakage in juju/utils certificates"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-6224",
"datePublished": "2025-07-01T10:39:34.322Z",
"dateReserved": "2025-06-18T08:48:41.677Z",
"dateUpdated": "2025-07-01T14:30:51.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6224 (GCVE-0-2025-6224)
Vulnerability from nvd – Published: 2025-07-01 10:39 – Updated: 2025-07-01 14:30
VLAI?
Summary
Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it.
Severity ?
6.5 (Medium)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Juju utils |
Affected:
4.0.1 , ≤ 4.0.3
(semver)
|
Credits
Josh McSavaney
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T14:30:33.241503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T14:30:51.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "juju utils",
"platforms": [
"Linux"
],
"product": "Juju utils",
"repo": "https://github.com/juju/utils",
"vendor": "Canonical",
"versions": [
{
"lessThanOrEqual": "4.0.3",
"status": "affected",
"version": "4.0.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Josh McSavaney"
}
],
"datePublic": "2025-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T10:39:34.322Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/utils/security/advisories/GHSA-h34r-jxqm-qgpr"
}
],
"source": {
"advisory": "https://github.com/juju/utils/security/advisories/GHSA-h34r-jxqm-qgpr",
"discovery": "EXTERNAL"
},
"title": "Key leakage in juju/utils certificates"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-6224",
"datePublished": "2025-07-01T10:39:34.322Z",
"dateReserved": "2025-06-18T08:48:41.677Z",
"dateUpdated": "2025-07-01T14:30:51.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}