ghsa-r64v-82fh-xc63
Vulnerability from github
Published
2025-07-09 15:30
Modified
2025-07-09 15:30
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization
Details

Impact

Any user with a Juju account on a controller can read debug log messages from the /log endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information.

Details

The /log endpoint is accessible at the following endpoints: - wss://<controller-ip>/log - wss://<controller-ip>/model/<model-uuid>/log

In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them.

To reproduce:

juju bootstrap juju add-user testuser juju change-user-password testuser Run the wscat command below to connect to wss://<controller-ip>:17070/api. Update the JSON payload to include the username and password that were created above.

wscat --no-check -c wss://contorller-ip:17070/model/modelUUID/api { "type": "Admin", "request": "Login", "version": 3, "params": { "client- version": "3.6.1.0", "auth-tag": "user-testuser", "credentials": " password" } }

Observe that the connection fails due to a lack of permissions.

Run the command below to connect to the log endpoint. Note that the credentials are passed in the --auth flag.

wscat --auth user-testuser:password -H "X-Juju-ClientVersion: 3.6.4" --no-check -c wss://<controller-ip>:17070/log

Observe that the logs are returned in the server’s response.

Code

The /log handlers are registered here https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L867 https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L980

And the only auth required is that the incoming request be for an authenticated user

https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L713

but no specific permission checks are done.

Workarounds

There are no workarounds.

References

F-01

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/juju/juju"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250619024904-402ff008dcc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T15:30:58Z",
    "nvd_published_at": "2025-07-08T17:16:04Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAny user with a Juju account on a controller can read debug log messages from the `/log` endpoint.\nNo specific permissions are required - it\u0027s just sufficient for the user to exist in the controller user database.\nThe log messages may contain sensitive information.\n\n### Details\n\nThe `/log` endpoint is accessible at the following endpoints:\n- `wss://\u003ccontroller-ip\u003e/log`\n- `wss://\u003ccontroller-ip\u003e/model/\u003cmodel-uuid\u003e/log`\n\nIn order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them.\n\nTo reproduce:\n\n```\njuju bootstrap\njuju add-user testuser\njuju change-user-password testuser\n```\nRun the [wscat](https://github.com/websockets/wscat) command below to\nconnect to `wss://\u003ccontroller-ip\u003e:17070/api`. Update the JSON payload to include the username and password that were created above.\n\n```\nwscat --no-check -c wss://contorller-ip:17070/model/modelUUID/api\n{ \"type\": \"Admin\", \"request\": \"Login\", \"version\": 3, \"params\": { \"client-\nversion\": \"3.6.1.0\", \"auth-tag\": \"user-testuser\", \"credentials\": \"\npassword\" } }\n```\n\nObserve that the connection fails due to a lack of permissions.\n\nRun the command below to connect to the log endpoint. Note that the credentials are passed in the --auth flag.\n\n```\nwscat --auth user-testuser:password -H \"X-Juju-ClientVersion: 3.6.4\" --no-check -c wss://\u003ccontroller-ip\u003e:17070/log\n```\n\nObserve that the logs are returned in the server\u2019s response.\n\n### Code\n\nThe `/log` handlers are registered here\nhttps://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L867\nhttps://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L980\n\nAnd the only auth required is that the incoming request be for an authenticated user\n\nhttps://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L713\n\nbut no specific permission checks are done.\n\n### Workarounds\nThere are no workarounds.\n\n### References\n[F-01](https://drive.google.com/file/d/1pHRNiaA8LyMVJYwIyTqelsqJ9FmImDf0/view)",
  "id": "GHSA-r64v-82fh-xc63",
  "modified": "2025-07-09T15:30:59Z",
  "published": "2025-07-09T15:30:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/juju/juju/security/advisories/GHSA-r64v-82fh-xc63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53512"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juju/juju/commit/402ff008dcc2cb57f4441968628637efb5c2a662"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juju/juju"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.