3 matches found
SUSE CVE-2025-0928
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or...
Remote Code Execution (RCE)
github.com/juju/juju is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient authorization checks caused by allowing any authenticated controller user to upload arbitrary agent binaries to any model or the controller without verifying model membership or permissions...
GHSA-4VC8-WVHW-M5GV Juju allows arbitrary executable uploads via authenticated endpoint without authorization
Summary You can affect the agent binaries used in a Juju controller and the code that is run in the binaries by simply having a user account on a controller. You aren't required to have a model or any permissions. This just requires a user account in the controller database. Details Because of th...