CVE-2023-0092: 
vulnerability analysis and mitigation

CVE-2023-0092 is a security vulnerability in the Juju controller that allows an authenticated user with read access to the controller model to download arbitrary files from the controller's filesystem. The vulnerability was discovered and disclosed in January 2025 and affects Juju versions 2.9.22 through 2.9.38 and 3.0.0 through 3.0.3 (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) that allows improper limitation of a pathname to a restricted directory. It has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. This indicates that while the vulnerability requires high privileges to exploit, it can be accessed over the network and requires no user interaction (NVD).

The vulnerability allows an authenticated attacker with read access to the controller model to access and download arbitrary files from the controller's filesystem, potentially exposing sensitive information. The impact is limited to confidentiality (High), with no direct impact on integrity or availability of the system (GitHub Advisory).

The vulnerability has been patched in Juju versions 2.9.38 and 3.0.3. Until patches can be applied, it is recommended to limit read access to the controller model to only trusted users (GitHub Advisory).