Refine your search
2 vulnerabilities found for by juju
CVE-2025-68153 (GCVE-0-2025-68153)
Vulnerability from cvelistv5
Published
2026-04-03 15:28
Modified
2026-04-04 03:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68153",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:16:45.400020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:16:56.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "juju",
"vendor": "juju",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9, \u003c 2.9.56"
},
{
"status": "affected",
"version": "\u003e= 3.6, \u003c 3.6.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:28:06.191Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"
},
{
"name": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"
}
],
"source": {
"advisory": "GHSA-245v-p8fj-vwm2",
"discovery": "UNKNOWN"
},
"title": "Juju: Resource poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68153",
"datePublished": "2026-04-03T15:28:06.191Z",
"dateReserved": "2025-12-15T20:13:34.486Z",
"dateUpdated": "2026-04-04T03:16:56.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68152 (GCVE-0-2025-68152)
Vulnerability from cvelistv5
Published
2026-04-03 15:25
Modified
2026-04-03 20:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T20:03:33.273121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T20:03:45.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "juju",
"vendor": "juju",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9, \u003c 2.9.56"
},
{
"status": "affected",
"version": "\u003e= 3.6, \u003c 3.6.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:25:56.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw"
},
{
"name": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e"
},
{
"name": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3"
}
],
"source": {
"advisory": "GHSA-j6f6-jp3p-53mw",
"discovery": "UNKNOWN"
},
"title": "Juju: Read All Controller Logs From Compromised Workload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68152",
"datePublished": "2026-04-03T15:25:56.142Z",
"dateReserved": "2025-12-15T20:13:34.486Z",
"dateUpdated": "2026-04-03T20:03:45.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}