Filtered by vendor Canonical
Subscribe
Total
4299 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3351 | 2 Canonical, Linux | 2 Lxd, Linux Kernel | 2026-06-17 | N/A | 4.3 MEDIUM |
| Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server. | |||||
| CVE-2026-34179 | 1 Canonical | 1 Lxd | 2026-06-17 | N/A | 9.1 CRITICAL |
| In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin. | |||||
| CVE-2026-34178 | 1 Canonical | 1 Lxd | 2026-06-17 | N/A | 9.1 CRITICAL |
| In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise. | |||||
| CVE-2026-34177 | 1 Canonical | 1 Lxd | 2026-06-17 | N/A | 9.1 CRITICAL |
| Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root. | |||||
| CVE-2026-32694 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 6.6 MEDIUM |
| In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker. | |||||
| CVE-2026-32693 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 8.8 HIGH |
| In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee. | |||||
| CVE-2026-32692 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 7.6 HIGH |
| An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end. | |||||
| CVE-2026-32691 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 5.3 MEDIUM |
| A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision. | |||||
| CVE-2026-31431 | 11 Amazon, Arista, Canonical and 8 more | 43 Amazon Linux, Cloudvision Agni, Cloudvision Portal and 40 more | 2026-06-17 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. | |||||
| CVE-2025-7044 | 1 Canonical | 1 Maas | 2026-06-17 | N/A | 7.7 HIGH |
| An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment. | |||||
| CVE-2025-6966 | 3 Canonical, Debian, Ubuntu | 3 Ubuntu Linux, Debian Linux, Python-apt | 2026-06-17 | N/A | 5.5 MEDIUM |
| NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key. | |||||
| CVE-2025-6224 | 1 Canonical | 1 Juju\/utils | 2026-06-17 | N/A | 6.5 MEDIUM |
| Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it. | |||||
| CVE-2025-68153 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 6.5 MEDIUM |
| Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19. | |||||
| CVE-2025-68152 | 1 Canonical | 1 Juju | 2026-06-17 | N/A | 4.9 MEDIUM |
| Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19. | |||||
| CVE-2025-5689 | 1 Canonical | 1 Authd | 2026-06-17 | N/A | 8.5 HIGH |
| A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session. | |||||
| CVE-2025-5467 | 1 Canonical | 1 Apport | 2026-06-17 | N/A | 3.3 LOW |
| It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups. | |||||
| CVE-2025-5199 | 2 Apple, Canonical | 2 Macos, Multipass | 2026-06-17 | N/A | 7.3 HIGH |
| In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup. | |||||
| CVE-2025-5054 | 1 Canonical | 2 Apport, Ubuntu Linux | 2026-06-17 | N/A | 4.7 MEDIUM |
| Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1). | |||||
| CVE-2025-54293 | 2 Canonical, Linux | 2 Lxd, Linux Kernel | 2026-06-17 | N/A | 6.5 MEDIUM |
| Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links. | |||||
| CVE-2025-54292 | 1 Canonical | 1 Lxd | 2026-06-17 | N/A | 4.6 MEDIUM |
| Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths. | |||||