File Download Vulnerability in Juju Controller by Canonical
CVE-2023-0092

4.9MEDIUM

Key Information:

Vendor: Canonical Ltd.
Status: Juju
Vendor: CVE Published:; 31 January 2025

Summary

An authenticated user with read access to the Juju controller model can craft a remote request to download arbitrary files from the controller's filesystem, potentially leading to unauthorized access to sensitive information. This vulnerability highlights the risks associated with insufficient access controls for users able to interact with the Juju controller.

Affected Version(s)

Juju Linux 2.9.22 < 2.9.38

Juju Linux 3.0.0 < 3.0.3

Juju Linux 2.9.38 < 3.0.3

References

https://github.com/advisories/GHSA-x5rv-w9pm-8qp8

issue-tracking

https://github.com/juju/juju/commit/ef803e2a13692d355b784...

patch

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 31, 2025
Vulnerability Reserved
Jan 5, 2023