Juju Cross-Model Authorization Vulnerability Allowing Unauthorized Permission Retention

A vulnerability exists in Juju versions 2.9.x, 3.6.x, and 4.x, allowing charms to retain cross-model permissions that have been revoked or expired. This issue arises from improper validation of invalid macaroons by the Juju controller. A malicious user with the ability to update database records can exploit this flaw by minting a macaroon that bypasses validation, thereby enabling a charm to maintain unauthorized relations and access workloads without permission.

Impact

Exploitation of this vulnerability could lead to unauthorized access and actions within cross-model relations, allowing charms to interact and use each other's workloads without consent.

Reproduction

To reproduce this vulnerability, a user must first have access to a charm that can update database records. Once in possession of such a charm, the user can revoke or let expire the cross-model permissions. Afterward, the user can mint an invalid macaroon that is not properly validated by the Juju controller. This invalid macaroon can then be used to falsely claim permissions that have been revoked or expired, allowing the charm to continue interacting with other charms and their workloads without authorization.