24 matches found
CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This...
CVE-2026-5412 Juju CloudSpec API could leak senstive information
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This...
PT-2026-31912
Name of the Vulnerable Software and Affected Versions Juju versions prior to 2.9.57 and 3.6.21 Description Juju versions prior to 2.9.57 and 3.6.21 contain an authorization issue in the Controller facade. An authenticated user can call the CloudSpec API method to extract cloud credentials used fo...
CVE-2025-68153
Juju vulnerability CVE-2025-68153 affects Juju versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19. An authenticated user, a machine, or a controller within a Juju controller could modify resources of an application across the entire controller. The issue is mitigated by upgrades to 2.9.56 or ...
EUVD-2026-4900
Juju has broken CMR authorization...
EUVD-2025-20674
Malicious code in bioql PyPI...
EUVD-2023-1139
Malicious code in bioql PyPI...
EUVD-2025-20670
Malicious code in bioql PyPI...
SUSE CVE-2025-53512
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information...
SUSE CVE-2025-53513
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through th...
CVE-2025-53513
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through th...
CVE-2025-53512
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information...
CVE-2025-53512
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information...
CVE-2025-53513
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through th...
CVE-2025-53512
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information...
CVE-2025-53513
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through th...
CVE-2025-53513
Juju’s CVE-2025-53513 affects the /charms API endpoint, where authenticated users on the controller can upload charms. The vulnerability stems from insufficient authorization checks, enabling a user account to upload a charm and, via a crafted ZIP file with Zip Slip traversal, overwrite server fi...
CVE-2025-53512
CVE-2025-53512 concerns Juju controllers where the /log endpoint is accessible to authenticated users without proper authorization checks, enabling exposure of debug log messages that may contain sensitive information. Affected component: Juju controller API/server logic handling log streaming. R...
CVE-2023-0092
An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem...
CVE-2023-0092
An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem...