EUVD-2025-209211
GHSA-245v-p8fj-vwm2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
Analysis
Privilege escalation in Canonical Juju 2.9.0 through 3.6.18 allows any authenticated user, machine agent, or sub-controller to modify application resources across the entire Juju controller, bypassing intended authorization boundaries. CVSS 7.1 (High) with network-accessible attack vector and low complexity. EPSS data not provided; no public exploit identified at time of analysis. Vendor-released patches available in versions 2.9.56 and 3.6.19.
Technical Context
Juju is Canonical's application orchestration and deployment platform that manages cloud-native applications through operators called 'charms' across multi-cloud and bare-metal infrastructure. This vulnerability stems from improper authorization enforcement (CWE-863: Incorrect Authorization) in the resource management subsystem. The affected component fails to properly validate whether an authenticated principal (user account, machine agent, or nested controller) has legitimate access rights to modify application resources within the controller's scope. The CVSS vector indicates network-based exploitation with low attack complexity, requiring low-privileged authentication but no user interaction, resulting in high integrity impact to the vulnerable system. The CPE identifier confirms impact to the core Juju application across the vulnerable version ranges, affecting both the 2.9.x maintenance branch and the 3.6.x current release series prior to patching.
Affected Products
Canonical Juju versions 2.9.0 through 2.9.55 and 3.6.0 through 3.6.18 are affected, identified via CPE cpe:2.3:a:juju:juju. Both the legacy 2.9 long-term support branch and the current 3.6 release series contain the authorization flaw. The vulnerability impacts all deployment scenarios where Juju controllers manage applications with multiple authenticated principals, including cloud deployments on AWS, Azure, Google Cloud, OpenStack, and bare-metal infrastructure managed through MAAS. Vendor security advisory available at https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2 provides official confirmation of affected versions and exploitation scope.
Remediation
Vendor-released patches are available in Juju 2.9.56 and 3.6.19, which contain authorization fixes to properly validate resource modification permissions. Organizations should immediately upgrade to these patched versions through standard Juju controller upgrade procedures documented at the project repository. For the 2.9.x branch, upgrade to version 2.9.56 or later; for 3.6.x deployments, upgrade to 3.6.19 or later. The fix commit is available at https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4 for source-build deployments. Until patching is complete, implement compensating controls by restricting authenticated user creation, auditing application resource modifications through Juju logs, and minimizing the number of machine agents and nested controllers with controller-level access. Review existing application resources for unauthorized modifications if untrusted authenticated principals had access during the vulnerable period.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today