Juju Authorization Vulnerability in Log Endpoint Allows Unauthorized Access to Sensitive Information

A vulnerability exists in the Juju controller's log endpoint, where inadequate authorization checks permit unauthorized users to access debug messages that may contain sensitive information. This issue affects Juju versions prior to 2.9.52 and 3.6.8.

Impact

Users with a Juju account on a controller can access debug log messages from the log endpoint, potentially revealing sensitive information. No special permissions are required, only a user account on the controller.

Reproduction

To reproduce this vulnerability, first bootstrap a Juju controller and add a user. After changing the user's password, use the wscat command to connect to the log endpoint, including the necessary authentication and version headers. Despite lacking permissions to access the logs, the debug messages will be streamed from the server, demonstrating the unauthorized access.

Remediation

Users can update to Juju versions 2.9.52 or 3.6.8, where this vulnerability has been patched.