CVE-2024-41129

MEDIUM

Pypi Ops < 2.15.0 - Log Information Exposure

Title source: rule

Description

The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0.

References (2)

[Vendor Advisory] https://github.com/canonical/operator/security/advisories/GHSA-hcmv-jmqh-fjgm

[Patch] https://github.com/canonical/operator/commit/fea6d2072435a62170d4c01272572f1a7e916e61

View Patch ZIP pw:eip

Scores

CVSS v3 4.4

EPSS 0.0004

EPSS Percentile 13.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

canonical/operator >= 2.0.0, < 2.15.0

pypi/ops 2.0.0 - 2.15.0PyPI

Published Jul 22, 2024

Tracked Since Feb 18, 2026