CVE-2025-68152 - Vulnerability Details

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Juju	Juju

No data.

References

Link	Providers
https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e
https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3
https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw

History

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Juju Juju juju
Vendors & Products		Juju Juju juju
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.
Title		Juju: Read All Controller Logs From Compromised Workload
Weaknesses		CWE-863
References		https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e https://github.com/juju/juju/commit/c91a1f4046956874ba77c8b398aecee3d61a2dc3 https://github.com/juju/juju/security/advisories/GHSA-j6f6-jp3p-53mw
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-03T15:25:56.142Z

Updated: 2026-04-03T20:03:45.979Z

Reserved: 2025-12-15T20:13:34.486Z

Link: CVE-2025-68152

Vulnrichment

Updated: 2026-04-03T20:03:41.945Z

NVD

Status : Received

Published: 2026-04-03T16:16:23.193

Modified: 2026-04-03T16:16:23.193

Link: CVE-2025-68152

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object