2 matches found
Juju has unauthorized access to out-of-scope Kubernetes secrets
Summary Grantee is able to update secret content using the secret-set tool due to broad Kubernetes access policy. Implications are that it is possible, knowing a Kubernetes secret identifier e.g. name, to patch without affecting the secret, revealing the value, or, patching while affecting the...
PT-2026-26057
Name of the Vulnerable Software and Affected Versions Juju versions 3.0.0 through 3.6.18 Description Juju’s authorization for the 'secret-set' tool is flawed, allowing a grantee to update secret content. Even when an error is logged during an exploitation attempt, the secret is still updated, and...