Search

Find a vulnerability

Search criteria

    40 vulnerabilities found for Juju by Canonical

    CVE-2026-5774 (GCVE-0-2026-5774)

    Vulnerability from nvd – Published: 2026-04-10 12:10 – Updated: 2026-04-10 12:41
    VLAI
    Title
    Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map
    Summary
    Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.57 (semver)
    Affected: 3.0.0 , < 3.6.21 (semver)
    Affected: 4.0.0 , < 4.0.6 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5774",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T12:41:23.862481Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T12:41:28.720Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.57",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.21",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.0.6",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-26",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-26: Leveraging Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T12:10:55.634Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22206"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22205"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-5774",
        "datePublished": "2026-04-10T12:10:55.634Z",
        "dateReserved": "2026-04-08T07:22:06.115Z",
        "dateUpdated": "2026-04-10T12:41:28.720Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5412 (GCVE-0-2026-5412)

    Vulnerability from nvd – Published: 2026-04-10 12:22 – Updated: 2026-04-10 14:04
    VLAI
    Title
    Juju CloudSpec API could leak senstive information
    Summary
    In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.9.0 , < 2.9.57 (semver)
    Affected: 3.6.0 , < 3.6.21 (semver)
    Create a notification for this product.
    Credits
    Ales Stimec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5412",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T14:03:51.021044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T14:04:30.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.57",
                  "status": "affected",
                  "version": "2.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.21",
                  "status": "affected",
                  "version": "3.6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ales Stimec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37: Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T12:22:05.403Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "CloudSpec method leaking cloud credentials",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22206"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22205"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Juju CloudSpec API could leak senstive information"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-5412",
        "datePublished": "2026-04-10T12:22:05.403Z",
        "dateReserved": "2026-04-02T07:07:23.750Z",
        "dateUpdated": "2026-04-10T14:04:30.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-68153 (GCVE-0-2025-68153)

    Vulnerability from nvd – Published: 2026-04-03 15:28 – Updated: 2026-04-04 03:16
    VLAI
    Title
    Juju: Resource poisoning
    Summary
    Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    juju juju Affected: >= 2.9, < 2.9.56
    Affected: >= 3.6, < 3.6.19
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-68153",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-04T03:16:45.400020Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-04T03:16:56.632Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "juju",
              "vendor": "juju",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.9, \u003c 2.9.56"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.6, \u003c 3.6.19"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T15:28:06.191Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"
            },
            {
              "name": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"
            }
          ],
          "source": {
            "advisory": "GHSA-245v-p8fj-vwm2",
            "discovery": "UNKNOWN"
          },
          "title": "Juju: Resource poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-68153",
        "datePublished": "2026-04-03T15:28:06.191Z",
        "dateReserved": "2025-12-15T20:13:34.486Z",
        "dateUpdated": "2026-04-04T03:16:56.632Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-68152 (GCVE-0-2025-68152)

    Vulnerability from nvd – Published: 2026-04-03 15:25 – Updated: 2026-04-03 20:03
    VLAI
    Title
    Juju: Read All Controller Logs From Compromised Workload
    Summary
    Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    juju juju Affected: >= 2.9, < 2.9.56
    Affected: >= 3.6, < 3.6.19
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-68152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T20:03:33.273121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T20:03:45.979Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "juju",
              "vendor": "juju",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.9, \u003c 2.9.56"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.6, \u003c 3.6.19"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T15:25:56.142Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw"
            },
            {
              "name": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e"
            },
            {
              "name": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3"
            }
          ],
          "source": {
            "advisory": "GHSA-j6f6-jp3p-53mw",
            "discovery": "UNKNOWN"
          },
          "title": "Juju: Read All Controller Logs From Compromised Workload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-68152",
        "datePublished": "2026-04-03T15:25:56.142Z",
        "dateReserved": "2025-12-15T20:13:34.486Z",
        "dateUpdated": "2026-04-03T20:03:45.979Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4370 (GCVE-0-2026-4370)

    Vulnerability from nvd – Published: 2026-04-01 08:09 – Updated: 2026-04-08 07:27
    VLAI
    Title
    Improper TLS Client/Server authentication and certificate verification on Database Cluster
    Summary
    A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper certificate validation
    • CWE-306 - Missing authentication for critical function
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.2.0 , < 3.6.20 (semver)
    Affected: 4.0 , < 4.0.4 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock Thomas Miller Joseph Phillips Ian Booth
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4370",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T13:00:31.628747Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T13:01:08.226Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.20",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.0.4",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Thomas Miller"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Joseph Phillips"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Ian Booth"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller\u0027s database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller\u0027s Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-94",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-94 Adversary in the Middle (AiTM)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper certificate validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing authentication for critical function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T07:27:16.821Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Improper TLS Client/Server authentication and certificate verification on Database Cluster"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-4370",
        "datePublished": "2026-04-01T08:09:17.570Z",
        "dateReserved": "2026-03-18T08:46:09.947Z",
        "dateUpdated": "2026-04-08T07:27:16.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32694 (GCVE-0-2026-32694)

    Vulnerability from nvd – Published: 2026-03-18 12:55 – Updated: 2026-03-18 13:40
    VLAI
    Title
    Insecure Direct Object Reference attack via predictable secret ID in Juju
    Summary
    In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-343 - Predictable value range from previous values
    • CWE-639 - Authorization bypass through User-Controlled key
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Dima Tisnek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32694",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:39:10.787656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:40:33.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dima Tisnek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-59",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-59: Session Credential Falsification through Prediction"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-343",
                  "description": "CWE-343 Predictable value range from previous values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:55:42.948Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Insecure Direct Object Reference attack via predictable secret ID in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32694",
        "datePublished": "2026-03-18T12:55:42.948Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:40:33.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32693 (GCVE-0-2026-32693)

    Vulnerability from nvd – Published: 2026-03-18 12:47 – Updated: 2026-03-18 13:19
    VLAI
    Title
    Unauthorized access to Kubernetes secrets in Juju
    Summary
    In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Dima Tisnek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32693",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:16:08.879696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:19:58.719Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dima Tisnek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-124",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-124: Shared Resource Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-778",
                  "description": "CWE-778 Insufficient logging",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:47:02.982Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unauthorized access to Kubernetes secrets in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32693",
        "datePublished": "2026-03-18T12:47:02.982Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:19:58.719Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32692 (GCVE-0-2026-32692)

    Vulnerability from nvd – Published: 2026-03-18 12:35 – Updated: 2026-03-18 13:42
    VLAI
    Title
    Unauthorized update of out-of-scope Vault secrets
    Summary
    An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.1.6 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32692",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:26:45.654119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:42:54.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.1.6",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:35:29.274Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-89x7-5m5m-mcmm"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unauthorized update of out-of-scope Vault secrets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32692",
        "datePublished": "2026-03-18T12:35:29.274Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:42:54.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32691 (GCVE-0-2026-32691)

    Vulnerability from nvd – Published: 2026-03-18 12:28 – Updated: 2026-03-18 13:49
    VLAI
    Title
    Timing ownership claim attack on new external back-end secrets
    Summary
    A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-708 - Incorrect ownership assignment
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32691",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:46:45.894829Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:49:09.338Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret\u0027s first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-29",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-708",
                  "description": "CWE-708 Incorrect ownership assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:28:11.546Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Timing ownership claim attack on new external back-end secrets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32691",
        "datePublished": "2026-03-18T12:28:11.546Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:49:09.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1237 (GCVE-0-2026-1237)

    Vulnerability from nvd – Published: 2026-01-28 15:01 – Updated: 2026-01-28 15:06
    VLAI
    Summary
    Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-672 - Operation on a Resource after Expiration or Release
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    Canonical juju Affected: 0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1237",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-28T15:05:47.431871Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-28T15:06:23.120Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vulnerable cross-model authorization in juju. If a charm\u0027s cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-672",
                  "description": "CWE-672 Operation on a Resource after Expiration or Release",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-28T15:01:46.364Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-1237",
        "datePublished": "2026-01-28T15:01:46.364Z",
        "dateReserved": "2026-01-20T16:56:24.051Z",
        "dateUpdated": "2026-01-28T15:06:23.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0928 (GCVE-0-2025-0928)

    Vulnerability from nvd – Published: 2025-07-08 17:20 – Updated: 2025-07-08 17:36
    VLAI
    Title
    Arbitrary executable upload via authenticated endpoint
    Summary
    In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.52 (semver)
    Affected: 3.0.0 , < 3.6.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0928",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-08T17:35:31.515571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-08T17:36:20.075Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://juju.is/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.52",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution."
                }
              ],
              "value": "In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "A malicious agent binary could be leveraged to achieve remote code execution on newly provisioned or upgraded machines."
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-08T17:20:04.608Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Arbitrary executable upload via authenticated endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-0928",
        "datePublished": "2025-07-08T17:20:04.608Z",
        "dateReserved": "2025-01-31T10:43:45.458Z",
        "dateUpdated": "2025-07-08T17:36:20.075Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53513 (GCVE-0-2025-53513)

    Vulnerability from nvd – Published: 2025-07-08 16:57 – Updated: 2025-07-09 14:00
    VLAI
    Title
    Zip slip vulnerability in Juju
    Summary
    The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-24 - Path Traversal: '../filedir'
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.52 (semver)
    Affected: 3.0.0 , < 3.6.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53513",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-09T14:00:06.132356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-09T14:00:10.613Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://juju.is/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.52",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "A charm that exploits a Zip Slip vulnerability may be used to gain access to a machine running a unit that uses the affected charm."
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-24",
                  "description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-08T16:57:06.351Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
            }
          ],
          "source": {
            "advisory": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8",
            "discovery": "INTERNAL"
          },
          "title": "Zip slip vulnerability in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-53513",
        "datePublished": "2025-07-08T16:57:06.351Z",
        "dateReserved": "2025-07-02T08:52:42.037Z",
        "dateUpdated": "2025-07-09T14:00:10.613Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53512 (GCVE-0-2025-53512)

    Vulnerability from nvd – Published: 2025-07-08 16:47 – Updated: 2025-07-08 19:09
    VLAI
    Title
    Sensitive log retrieval in Juju
    Summary
    The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-285 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.52 (semver)
    Affected: 3.0.0 , < 3.6.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53512",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-08T19:09:11.652417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-08T19:09:24.844Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://juju.is/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.52",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Any user with a Juju account on a controller could read debug log messages from the /log endpoint."
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-08T16:47:44.427Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63"
            }
          ],
          "source": {
            "advisory": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63",
            "discovery": "INTERNAL"
          },
          "title": "Sensitive log retrieval in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-53512",
        "datePublished": "2025-07-08T16:47:44.427Z",
        "dateReserved": "2025-07-02T08:52:42.036Z",
        "dateUpdated": "2025-07-08T19:09:24.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0092 (GCVE-0-2023-0092)

    Vulnerability from nvd – Published: 2025-01-31 01:41 – Updated: 2025-02-07 16:10
    VLAI
    Summary
    An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Ltd. Juju Affected: 2.9.22 , < 2.9.38 (semver)
    Affected: 3.0.0 , < 3.0.3 (semver)
    Affected: 2.9.38 , < 3.0.3 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0092",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T16:10:08.920084Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-07T16:10:14.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical Ltd.",
              "versions": [
                {
                  "lessThan": "2.9.38",
                  "status": "affected",
                  "version": "2.9.22",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.3",
                  "status": "affected",
                  "version": "2.9.38",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller\u0027s filesystem."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-31T01:41:46.439Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/advisories/GHSA-x5rv-w9pm-8qp8"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/juju/juju/commit/ef803e2a13692d355b784b7da8b4b1f01dab1556"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2023-0092",
        "datePublished": "2025-01-31T01:41:46.439Z",
        "dateReserved": "2023-01-05T20:43:04.614Z",
        "dateUpdated": "2025-02-07T16:10:14.052Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8038 (GCVE-0-2024-8038)

    Vulnerability from nvd – Published: 2024-10-02 10:12 – Updated: 2024-10-02 13:53
    VLAI
    Summary
    Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical Ltd. Juju Affected: 3.5 , < 3.5.4 (semver)
    Affected: 3.4 , < 3.4.6 (semver)
    Affected: 3.3 , < 3.3.7 (semver)
    Affected: 3.1 , < 3.1.10 (semver)
    Affected: 2.9 , < 2.9.51 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock Harry Pidcock Mark Esler
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T13:52:58.112532Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-02T13:53:24.639Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical Ltd.",
              "versions": [
                {
                  "lessThan": "3.5.4",
                  "status": "affected",
                  "version": "3.5",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.4.6",
                  "status": "affected",
                  "version": "3.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.3.7",
                  "status": "affected",
                  "version": "3.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1.10",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.9.51",
                  "status": "affected",
                  "version": "2.9",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Harry Pidcock"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Mark Esler"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-420",
                  "description": "CWE-420",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-02T10:12:38.806Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2024-8038"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2024-8038",
        "datePublished": "2024-10-02T10:12:38.806Z",
        "dateReserved": "2024-08-21T01:05:01.458Z",
        "dateUpdated": "2024-10-02T13:53:24.639Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8037 (GCVE-0-2024-8037)

    Vulnerability from nvd – Published: 2024-10-02 10:12 – Updated: 2024-11-01 15:31
    VLAI
    Summary
    Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical Ltd. Juju Affected: 3.5 , < 3.5.4 (semver)
    Affected: 3.4 , < 3.4.6 (semver)
    Affected: 3.3 , < 3.3.7 (semver)
    Affected: 3.1 , < 3.1.10 (semver)
    Affected: 2.9 , < 2.9.51 (semver)
    Create a notification for this product.
    Credits
    Pedro Guimaraes Harry Pidcock Mark Esler
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8037",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T13:56:28.477251Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-01T15:31:40.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical Ltd.",
              "versions": [
                {
                  "lessThan": "3.5.4",
                  "status": "affected",
                  "version": "3.5",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.4.6",
                  "status": "affected",
                  "version": "3.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.3.7",
                  "status": "affected",
                  "version": "3.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1.10",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.9.51",
                  "status": "affected",
                  "version": "2.9",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pedro Guimaraes"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Harry Pidcock"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Mark Esler"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are normally reserved to a juju charm."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-02T10:12:32.318Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-8v4w-f4r9-7h6x"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2024-8037"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2024-8037",
        "datePublished": "2024-10-02T10:12:32.318Z",
        "dateReserved": "2024-08-21T00:45:34.399Z",
        "dateUpdated": "2024-11-01T15:31:40.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-5412 (GCVE-0-2026-5412)

    Vulnerability from cvelistv5 – Published: 2026-04-10 12:22 – Updated: 2026-04-10 14:04
    VLAI
    Title
    Juju CloudSpec API could leak senstive information
    Summary
    In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.9.0 , < 2.9.57 (semver)
    Affected: 3.6.0 , < 3.6.21 (semver)
    Create a notification for this product.
    Credits
    Ales Stimec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5412",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T14:03:51.021044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T14:04:30.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.57",
                  "status": "affected",
                  "version": "2.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.21",
                  "status": "affected",
                  "version": "3.6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ales Stimec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37: Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T12:22:05.403Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "CloudSpec method leaking cloud credentials",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22206"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22205"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Juju CloudSpec API could leak senstive information"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-5412",
        "datePublished": "2026-04-10T12:22:05.403Z",
        "dateReserved": "2026-04-02T07:07:23.750Z",
        "dateUpdated": "2026-04-10T14:04:30.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5774 (GCVE-0-2026-5774)

    Vulnerability from cvelistv5 – Published: 2026-04-10 12:10 – Updated: 2026-04-10 12:41
    VLAI
    Title
    Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map
    Summary
    Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.57 (semver)
    Affected: 3.0.0 , < 3.6.21 (semver)
    Affected: 4.0.0 , < 4.0.6 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5774",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T12:41:23.862481Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T12:41:28.720Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.57",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.21",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.0.6",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-26",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-26: Leveraging Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T12:10:55.634Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22206"
            },
            {
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/juju/juju/pull/22205"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-5774",
        "datePublished": "2026-04-10T12:10:55.634Z",
        "dateReserved": "2026-04-08T07:22:06.115Z",
        "dateUpdated": "2026-04-10T12:41:28.720Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-68153 (GCVE-0-2025-68153)

    Vulnerability from cvelistv5 – Published: 2026-04-03 15:28 – Updated: 2026-04-04 03:16
    VLAI
    Title
    Juju: Resource poisoning
    Summary
    Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    juju juju Affected: >= 2.9, < 2.9.56
    Affected: >= 3.6, < 3.6.19
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-68153",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-04T03:16:45.400020Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-04T03:16:56.632Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "juju",
              "vendor": "juju",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.9, \u003c 2.9.56"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.6, \u003c 3.6.19"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T15:28:06.191Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"
            },
            {
              "name": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"
            }
          ],
          "source": {
            "advisory": "GHSA-245v-p8fj-vwm2",
            "discovery": "UNKNOWN"
          },
          "title": "Juju: Resource poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-68153",
        "datePublished": "2026-04-03T15:28:06.191Z",
        "dateReserved": "2025-12-15T20:13:34.486Z",
        "dateUpdated": "2026-04-04T03:16:56.632Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-68152 (GCVE-0-2025-68152)

    Vulnerability from cvelistv5 – Published: 2026-04-03 15:25 – Updated: 2026-04-03 20:03
    VLAI
    Title
    Juju: Read All Controller Logs From Compromised Workload
    Summary
    Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    juju juju Affected: >= 2.9, < 2.9.56
    Affected: >= 3.6, < 3.6.19
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-68152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T20:03:33.273121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T20:03:45.979Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "juju",
              "vendor": "juju",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.9, \u003c 2.9.56"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.6, \u003c 3.6.19"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T15:25:56.142Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw"
            },
            {
              "name": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e"
            },
            {
              "name": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3"
            }
          ],
          "source": {
            "advisory": "GHSA-j6f6-jp3p-53mw",
            "discovery": "UNKNOWN"
          },
          "title": "Juju: Read All Controller Logs From Compromised Workload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-68152",
        "datePublished": "2026-04-03T15:25:56.142Z",
        "dateReserved": "2025-12-15T20:13:34.486Z",
        "dateUpdated": "2026-04-03T20:03:45.979Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4370 (GCVE-0-2026-4370)

    Vulnerability from cvelistv5 – Published: 2026-04-01 08:09 – Updated: 2026-04-08 07:27
    VLAI
    Title
    Improper TLS Client/Server authentication and certificate verification on Database Cluster
    Summary
    A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper certificate validation
    • CWE-306 - Missing authentication for critical function
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.2.0 , < 3.6.20 (semver)
    Affected: 4.0 , < 4.0.4 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock Thomas Miller Joseph Phillips Ian Booth
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4370",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T13:00:31.628747Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T13:01:08.226Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.20",
                  "status": "affected",
                  "version": "3.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.0.4",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Thomas Miller"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Joseph Phillips"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Ian Booth"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller\u0027s database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller\u0027s Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            },
            {
              "capecId": "CAPEC-94",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-94 Adversary in the Middle (AiTM)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper certificate validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing authentication for critical function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T07:27:16.821Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Improper TLS Client/Server authentication and certificate verification on Database Cluster"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-4370",
        "datePublished": "2026-04-01T08:09:17.570Z",
        "dateReserved": "2026-03-18T08:46:09.947Z",
        "dateUpdated": "2026-04-08T07:27:16.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32694 (GCVE-0-2026-32694)

    Vulnerability from cvelistv5 – Published: 2026-03-18 12:55 – Updated: 2026-03-18 13:40
    VLAI
    Title
    Insecure Direct Object Reference attack via predictable secret ID in Juju
    Summary
    In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-343 - Predictable value range from previous values
    • CWE-639 - Authorization bypass through User-Controlled key
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Dima Tisnek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32694",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:39:10.787656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:40:33.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dima Tisnek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-59",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-59: Session Credential Falsification through Prediction"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-343",
                  "description": "CWE-343 Predictable value range from previous values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:55:42.948Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Insecure Direct Object Reference attack via predictable secret ID in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32694",
        "datePublished": "2026-03-18T12:55:42.948Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:40:33.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32693 (GCVE-0-2026-32693)

    Vulnerability from cvelistv5 – Published: 2026-03-18 12:47 – Updated: 2026-03-18 13:19
    VLAI
    Title
    Unauthorized access to Kubernetes secrets in Juju
    Summary
    In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Dima Tisnek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32693",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:16:08.879696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:19:58.719Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dima Tisnek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-124",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-124: Shared Resource Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-778",
                  "description": "CWE-778 Insufficient logging",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:47:02.982Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unauthorized access to Kubernetes secrets in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32693",
        "datePublished": "2026-03-18T12:47:02.982Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:19:58.719Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32692 (GCVE-0-2026-32692)

    Vulnerability from cvelistv5 – Published: 2026-03-18 12:35 – Updated: 2026-03-18 13:42
    VLAI
    Title
    Unauthorized update of out-of-scope Vault secrets
    Summary
    An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.1.6 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32692",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:26:45.654119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:42:54.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.1.6",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:35:29.274Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-89x7-5m5m-mcmm"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unauthorized update of out-of-scope Vault secrets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32692",
        "datePublished": "2026-03-18T12:35:29.274Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:42:54.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32691 (GCVE-0-2026-32691)

    Vulnerability from cvelistv5 – Published: 2026-03-18 12:28 – Updated: 2026-03-18 13:49
    VLAI
    Title
    Timing ownership claim attack on new external back-end secrets
    Summary
    A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-708 - Incorrect ownership assignment
    Assigner
    References
    URL Tags
    https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
    Create a notification for this product.
    Credits
    Harry Pidcock
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32691",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-18T13:46:45.894829Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-18T13:49:09.338Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/juju/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "3.6.19",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Harry Pidcock"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret\u0027s first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-29",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-708",
                  "description": "CWE-708 Incorrect ownership assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-18T12:28:11.546Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "vdb-entry"
              ],
              "url": "https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Timing ownership claim attack on new external back-end secrets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-32691",
        "datePublished": "2026-03-18T12:28:11.546Z",
        "dateReserved": "2026-03-13T12:53:34.544Z",
        "dateUpdated": "2026-03-18T13:49:09.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1237 (GCVE-0-2026-1237)

    Vulnerability from cvelistv5 – Published: 2026-01-28 15:01 – Updated: 2026-01-28 15:06
    VLAI
    Summary
    Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-672 - Operation on a Resource after Expiration or Release
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    Canonical juju Affected: 0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1237",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-28T15:05:47.431871Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-28T15:06:23.120Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vulnerable cross-model authorization in juju. If a charm\u0027s cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-672",
                  "description": "CWE-672 Operation on a Resource after Expiration or Release",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-28T15:01:46.364Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-1237",
        "datePublished": "2026-01-28T15:01:46.364Z",
        "dateReserved": "2026-01-20T16:56:24.051Z",
        "dateUpdated": "2026-01-28T15:06:23.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0928 (GCVE-0-2025-0928)

    Vulnerability from cvelistv5 – Published: 2025-07-08 17:20 – Updated: 2025-07-08 17:36
    VLAI
    Title
    Arbitrary executable upload via authenticated endpoint
    Summary
    In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.52 (semver)
    Affected: 3.0.0 , < 3.6.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0928",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-08T17:35:31.515571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-08T17:36:20.075Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://juju.is/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.52",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution."
                }
              ],
              "value": "In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "A malicious agent binary could be leveraged to achieve remote code execution on newly provisioned or upgraded machines."
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-08T17:20:04.608Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Arbitrary executable upload via authenticated endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-0928",
        "datePublished": "2025-07-08T17:20:04.608Z",
        "dateReserved": "2025-01-31T10:43:45.458Z",
        "dateUpdated": "2025-07-08T17:36:20.075Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53513 (GCVE-0-2025-53513)

    Vulnerability from cvelistv5 – Published: 2025-07-08 16:57 – Updated: 2025-07-09 14:00
    VLAI
    Title
    Zip slip vulnerability in Juju
    Summary
    The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-24 - Path Traversal: '../filedir'
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.52 (semver)
    Affected: 3.0.0 , < 3.6.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53513",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-09T14:00:06.132356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-09T14:00:10.613Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://juju.is/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.52",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "A charm that exploits a Zip Slip vulnerability may be used to gain access to a machine running a unit that uses the affected charm."
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-24",
                  "description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-08T16:57:06.351Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8"
            }
          ],
          "source": {
            "advisory": "https://github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8",
            "discovery": "INTERNAL"
          },
          "title": "Zip slip vulnerability in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-53513",
        "datePublished": "2025-07-08T16:57:06.351Z",
        "dateReserved": "2025-07-02T08:52:42.037Z",
        "dateUpdated": "2025-07-09T14:00:10.613Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53512 (GCVE-0-2025-53512)

    Vulnerability from cvelistv5 – Published: 2025-07-08 16:47 – Updated: 2025-07-08 19:09
    VLAI
    Title
    Sensitive log retrieval in Juju
    Summary
    The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-285 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Juju Affected: 2.0.0 , < 2.9.52 (semver)
    Affected: 3.0.0 , < 3.6.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53512",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-08T19:09:11.652417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-08T19:09:24.844Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://juju.is/",
              "defaultStatus": "unaffected",
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "2.9.52",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.6.8",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Any user with a Juju account on a controller could read debug log messages from the /log endpoint."
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-08T16:47:44.427Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63"
            }
          ],
          "source": {
            "advisory": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63",
            "discovery": "INTERNAL"
          },
          "title": "Sensitive log retrieval in Juju"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-53512",
        "datePublished": "2025-07-08T16:47:44.427Z",
        "dateReserved": "2025-07-02T08:52:42.036Z",
        "dateUpdated": "2025-07-08T19:09:24.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0092 (GCVE-0-2023-0092)

    Vulnerability from cvelistv5 – Published: 2025-01-31 01:41 – Updated: 2025-02-07 16:10
    VLAI
    Summary
    An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Ltd. Juju Affected: 2.9.22 , < 2.9.38 (semver)
    Affected: 3.0.0 , < 3.0.3 (semver)
    Affected: 2.9.38 , < 3.0.3 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0092",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T16:10:08.920084Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-07T16:10:14.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "juju",
              "platforms": [
                "Linux"
              ],
              "product": "Juju",
              "repo": "https://github.com/juju/juju",
              "vendor": "Canonical Ltd.",
              "versions": [
                {
                  "lessThan": "2.9.38",
                  "status": "affected",
                  "version": "2.9.22",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.3",
                  "status": "affected",
                  "version": "2.9.38",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller\u0027s filesystem."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-31T01:41:46.439Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/advisories/GHSA-x5rv-w9pm-8qp8"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/juju/juju/commit/ef803e2a13692d355b784b7da8b4b1f01dab1556"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2023-0092",
        "datePublished": "2025-01-31T01:41:46.439Z",
        "dateReserved": "2023-01-05T20:43:04.614Z",
        "dateUpdated": "2025-02-07T16:10:14.052Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }