CVE-2025-68152
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| juju | juju | >= 2.9, < 2.9.56 | affected |
| juju | juju | >= 3.6, < 3.6.19 | affected |
Weaknesses
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw
- https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e
- https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.