Juju
Monthly
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to tamper with application resources across the entire controller scope. Affects Juju 2.9.0-2.9.55 and 3.6.0-3.6.18. Patched in versions 2.9.56 and 3.6.19. EPSS score of 0.01% suggests low probability of mass exploitation. No active exploitation confirmed (not in CISA KEV). Authentication requirement (PR:L) limits attack surface to compromised credentials or malicious insiders.
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to read arbitrary log files for any entity across any model without proper authorization checks. This authentication bypass (CWE-863) affects high-privilege scenarios where an attacker already controls a machine within a Juju-managed infrastructure, enabling lateral information disclosure to extract sensitive operational logs. The vulnerability has been patched in Juju 2.9.56 and 3.6.19.
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows complete data exfiltration and manipulation through missing TLS certificate validation on Dqlite database endpoints. The controller's database cluster accepts unauthorized node joins from any network-accessible attacker, granting full read/write access to all stored credentials, configurations, and orchestration data. With CVSS 10.0 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a critical authentication bypass in infrastructure-as-code environments. No public exploit identified at time of analysis, though exploitation requires only network access to the Dqlite port without authentication complexity.
A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with grantee privileges to incorrectly update secret content beyond their intended permissions, potentially accessing or modifying other secrets. The vulnerability (CWE-863: Incorrect Authorization) has a CVSS score of 8.8, indicating high severity with network-based exploitation requiring low attack complexity and low privileges. The flaw is particularly dangerous because even when exploitation attempts are logged as errors, the unauthorized secret updates still persist and become visible to both owners and grantees.
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestration tool, allowing authenticated unit agents to perform unauthorized updates to secret revisions beyond their intended scope. Juju versions 3.1.6 through 3.6.18 are affected, and attackers with sufficient information can poison any existing secret revision within the Vault secret back-end scope. With a CVSS score of 7.6 (High severity) featuring network attack vector, low complexity, and high integrity impact, this represents a significant security concern for Juju deployments using Vault as their secrets back-end, though no active exploitation (KEV) status or EPSS score was provided in available data.
Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Vulnerable juju introspection abstract UNIX domain socket. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Vulnerable juju hook tool abstract UNIX domain socket. Rated medium severity (CVSS 6.5). This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.
JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity. Public exploit code available.
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 81.6%.
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to tamper with application resources across the entire controller scope. Affects Juju 2.9.0-2.9.55 and 3.6.0-3.6.18. Patched in versions 2.9.56 and 3.6.19. EPSS score of 0.01% suggests low probability of mass exploitation. No active exploitation confirmed (not in CISA KEV). Authentication requirement (PR:L) limits attack surface to compromised credentials or malicious insiders.
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to read arbitrary log files for any entity across any model without proper authorization checks. This authentication bypass (CWE-863) affects high-privilege scenarios where an attacker already controls a machine within a Juju-managed infrastructure, enabling lateral information disclosure to extract sensitive operational logs. The vulnerability has been patched in Juju 2.9.56 and 3.6.19.
Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows complete data exfiltration and manipulation through missing TLS certificate validation on Dqlite database endpoints. The controller's database cluster accepts unauthorized node joins from any network-accessible attacker, granting full read/write access to all stored credentials, configurations, and orchestration data. With CVSS 10.0 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a critical authentication bypass in infrastructure-as-code environments. No public exploit identified at time of analysis, though exploitation requires only network access to the Dqlite port without authentication complexity.
A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with grantee privileges to incorrectly update secret content beyond their intended permissions, potentially accessing or modifying other secrets. The vulnerability (CWE-863: Incorrect Authorization) has a CVSS score of 8.8, indicating high severity with network-based exploitation requiring low attack complexity and low privileges. The flaw is particularly dangerous because even when exploitation attempts are logged as errors, the unauthorized secret updates still persist and become visible to both owners and grantees.
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestration tool, allowing authenticated unit agents to perform unauthorized updates to secret revisions beyond their intended scope. Juju versions 3.1.6 through 3.6.18 are affected, and attackers with sufficient information can poison any existing secret revision within the Vault secret back-end scope. With a CVSS score of 7.6 (High severity) featuring network attack vector, low complexity, and high integrity impact, this represents a significant security concern for Juju deployments using Vault as their secrets back-end, though no active exploitation (KEV) status or EPSS score was provided in available data.
Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Vulnerable juju introspection abstract UNIX domain socket. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Vulnerable juju hook tool abstract UNIX domain socket. Rated medium severity (CVSS 6.5). This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.
JUJU_CONTEXT_ID is a predictable authentication secret. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity. Public exploit code available.
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 81.6%.