Juju Authorization Vulnerability in Secret Management Allows Unauthorized Access to Kubernetes Secrets

An authorization vulnerability has been identified in Juju versions 3.0.0 through 3.6.18. The issue arises in the 'secret-set' tool, where authorization is not properly enforced. This flaw allows a grantee to update secret contents, potentially leading to unauthorized reading or modification of other secrets. Notably, when an error is logged during an exploitation attempt, the secret is still updated, contrary to expectations, and the new value becomes visible to both the owner and the grantee.

Impact

Exploitation of this vulnerability allows a grantee to unauthorizedly update secret contents, with implications for any application that owns the secret, as well as third applications granted access. Additionally, it affects all applications with secrets in the same Kubernetes secret backend.

Reproduction

To reproduce this vulnerability, first, create a secret in an application using the 'secret-add' command. Then, grant access to another application through a relation. Afterward, use the 'secret-set' command in the grantee application to update the secret. Despite receiving a permission denied error, the secret value will be successfully updated and visible to both the owner and the grantee.

Remediation

Users can upgrade to Juju version 3.6.19, where this vulnerability has been patched.