Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by juju
CVE-2025-68153 (GCVE-0-2025-68153)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:28 – Updated: 2026-04-04 03:16
VLAI
Title
Juju: Resource poisoning
Summary
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/juju/juju/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/juju/juju/commit/26ff93c903d55… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68153",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:16:45.400020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:16:56.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "juju",
"vendor": "juju",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9, \u003c 2.9.56"
},
{
"status": "affected",
"version": "\u003e= 3.6, \u003c 3.6.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:28:06.191Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"
},
{
"name": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"
}
],
"source": {
"advisory": "GHSA-245v-p8fj-vwm2",
"discovery": "UNKNOWN"
},
"title": "Juju: Resource poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68153",
"datePublished": "2026-04-03T15:28:06.191Z",
"dateReserved": "2025-12-15T20:13:34.486Z",
"dateUpdated": "2026-04-04T03:16:56.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68152 (GCVE-0-2025-68152)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:25 – Updated: 2026-04-03 20:03
VLAI
Title
Juju: Read All Controller Logs From Compromised Workload
Summary
Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/juju/juju/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/juju/juju/commit/22cdcf6b54c2f… | x_refsource_MISC |
| https://github.com/juju/juju/commit/c91a1f4046956… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T20:03:33.273121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T20:03:45.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "juju",
"vendor": "juju",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9, \u003c 2.9.56"
},
{
"status": "affected",
"version": "\u003e= 3.6, \u003c 3.6.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:25:56.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw"
},
{
"name": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e"
},
{
"name": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3"
}
],
"source": {
"advisory": "GHSA-j6f6-jp3p-53mw",
"discovery": "UNKNOWN"
},
"title": "Juju: Read All Controller Logs From Compromised Workload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68152",
"datePublished": "2026-04-03T15:25:56.142Z",
"dateReserved": "2025-12-15T20:13:34.486Z",
"dateUpdated": "2026-04-03T20:03:45.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}