CVE-2023-0092 — Path Traversal in LTD Juju

CWE-22 — Path Traversal CWE-73 — External Control of File Name or Path4 documents4 sources

Severity

4.9MEDIUMNVD

EPSS

0.5%

top 34.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical LTD Juju Github.com Juju Juju Canonical Juju

Timeline

PublishedJan 31

Description

An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDcanonical/juju2.9.22 — 2.9.38+1

▶CVEListV5canonical_ltd/juju2.9.22 — 2.9.38+2

▶Gogithub.com/juju_juju2.9.22 — 2.9.38+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-0092: An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controll↗2025-01-31

▶

OSV

Juju controller - Arbitrary file reading vulnerability↗2023-03-01

▶

GHSA

Juju controller - Arbitrary file reading vulnerability↗2023-03-01

▶