CVE-2025-6224 | THREATINT

Description

Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it.

PUBLISHED Reserved 2025-06-18 | Published 2025-07-01 | Updated 2025-07-01 | Assigner canonical

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-312 Cleartext Storage of Sensitive Information

Product status

Default status

unaffected

4.0.1 (semver)

affected

Credits

Josh McSavaney reporter

References

github.com/.../utils/security/advisories/GHSA-h34r-jxqm-qgpr

cve.org (CVE-2025-6224)

nvd.nist.gov (CVE-2025-6224)

Download JSON