In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
The bug consists of improper permission verification (CWE-285) when calling the CloudSpec API method within the Controller facade. Any authenticated user — regardless of permission level — can call this method and receive cloud credentials (used during the controller bootstrap process) in the response. The authorization mechanism does not verify whether the caller has sufficient privileges to access this sensitive data.
An attacker with any authentication level can extract the controller's cloud credentials, which in practice means the ability to gain full access to cloud infrastructure resources, as well as potential takeover of the environment managed by Juju.
Canonical Juju should be updated to version 2.9.57 (for the 2.x branch) or 3.6.21 (for the 3.x branch), where the issue has been resolved. Patches are available in the project's official repositories and described in the vendor's references.
Canonical Juju in versions earlier than 2.9.57 and earlier than 3.6.21
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCanonical Juju
APPCanonical< 2.9.573.6 – 3.6.21 (bez)
Related vulnerabilities
Canonical Juju: brak uwierzytelnienia TLS w klastrze Dqlite umożliwia przejęcie bazy danych
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appr...
Juju is an open source application orchestration engine that enables any application operation on any infrastr...
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 thro...
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correct...