GHSA-r64v-82fh-xc63

Suggest an improvement
Source
https://github.com/advisories/GHSA-r64v-82fh-xc63
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-r64v-82fh-xc63/GHSA-r64v-82fh-xc63.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r64v-82fh-xc63
Aliases
  • CVE-2025-53512
Published
2025-07-09T15:30:58Z
Modified
2025-07-09T16:12:15.361369Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization
Details

Impact

Any user with a Juju account on a controller can read debug log messages from the /log endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information.

Details

The /log endpoint is accessible at the following endpoints: - wss://<controller-ip>/log - wss://<controller-ip>/model/<model-uuid>/log

In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them.

To reproduce:

juju bootstrap
juju add-user testuser
juju change-user-password testuser

Run the wscat command below to connect to wss://<controller-ip>:17070/api. Update the JSON payload to include the username and password that were created above.

wscat --no-check -c wss://contorller-ip:17070/model/modelUUID/api
{ "type": "Admin", "request": "Login", "version": 3, "params": { "client-
version": "3.6.1.0", "auth-tag": "user-testuser", "credentials": "
password" } }

Observe that the connection fails due to a lack of permissions.

Run the command below to connect to the log endpoint. Note that the credentials are passed in the --auth flag.

wscat --auth user-testuser:password -H "X-Juju-ClientVersion: 3.6.4" --no-check -c wss://<controller-ip>:17070/log

Observe that the logs are returned in the server’s response.

Code

The /log handlers are registered here https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L867 https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L980

And the only auth required is that the incoming request be for an authenticated user

https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L713

but no specific permission checks are done.

Workarounds

There are no workarounds.

References

F-01

Database specific 
{
    "nvd_published_at": "2025-07-08T17:16:04Z",
    "github_reviewed_at": "2025-07-09T15:30:58Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Go / github.com/juju/juju

Package

Name
github.com/juju/juju
View open source insights on deps.dev
Purl
pkg:golang/github.com/juju/juju

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20250619024904-402ff008dcc2