Juju Race Condition Vulnerability in Secrets Management Subsystem Allowing Unauthorized Ownership Claims

A race condition vulnerability has been identified in the secrets management subsystem of Juju, affecting versions 3.0.0 prior to 3.6.18. This vulnerability allows an authenticated unit agent to claim ownership of a newly initialized secret. The issue arises between the generation of a Juju Secret ID and the creation of the secret's first revision. An attacker, authenticated as another unit agent, can exploit this window to claim ownership of a known secret, enabling them to read the content of the initial secret revision.

Impact

Exploitation of this vulnerability allows an authenticated unit agent to claim ownership of a newly initialized secret, intercepting the secret before its first revision is created. This unauthorized ownership claim enables the attacking unit to access the content of the initial secret revision, potentially leading to unauthorized disclosure of sensitive information.

Remediation

Users can upgrade to Juju version 3.6.19 to address this vulnerability.