Advisories for Golang/Github.com/Juju/Juju package

2024

Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm. A potential exploit where a user can run a bash loop attempting to execute hook tools. If running while another hook is executing, we log an error with the context ID, making it possible for the …

Duplicate Advisory: Juju leaks of the sensitive context ID

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6vjm-54vp-mxhx. This link has been maintained to preserve external references. Original Description An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm.

2023

Juju controller - Arbitrary file reading vulnerability

Impact An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.