CVE-2023-0092
📋 TL;DR
This vulnerability allows authenticated users with read access to the Juju controller model to download arbitrary files from the controller's filesystem through a crafted remote request. It affects Juju deployments where users have been granted read access to controller models. The issue is a path traversal vulnerability (CWE-22) that could expose sensitive system files.
💻 Affected Systems
- Juju
📦 What is this software?
Juju by Canonical
Juju by Canonical
⚠️ Risk & Real-World Impact
Worst Case
An attacker could download sensitive configuration files, credentials, or system files, potentially leading to full system compromise if privileged credentials are exposed.
Likely Case
Authenticated users with read access could exfiltrate sensitive configuration data, potentially enabling further attacks or exposing operational secrets.
If Mitigated
With proper access controls limiting read access to trusted users only, the impact is reduced to authorized users potentially accessing files they shouldn't.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the API endpoint. The vulnerability is straightforward path traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.3 and later
Vendor Advisory: https://github.com/advisories/GHSA-x5rv-w9pm-8qp8
Restart Required: Yes
Instructions:
1. Upgrade Juju to version 3.0.3 or later. 2. Restart the Juju controller service. 3. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Restrict Controller Model Access
allLimit read access to the controller model to only essential, trusted users.
juju grant <username> read <model-name>
juju revoke <username> read controller
🧯 If You Can't Patch
- Implement strict access controls to limit which users have read access to controller models
- Monitor and audit file download requests from the Juju controller API
🔍 How to Verify
Check if Vulnerable:
Check Juju version with 'juju version'. If version is below 3.0.3, the system is vulnerable.Check Version:
juju versionVerify Fix Applied:
After upgrading to 3.0.3+, attempt to exploit the path traversal via the API endpoint; it should now be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file download patterns from Juju API
- Path traversal attempts in request logs
- Multiple failed file access attempts
Network Indicators:
- Unusual outbound traffic from Juju controller containing file data
- Patterns of file download requests to non-standard paths
SIEM Query:
source="juju-controller" AND (url_path CONTAINS ".." OR url_path CONTAINS "/etc/" OR url_path CONTAINS "/root/")