An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.
Patched in juju 2.9.38 and juju 3.0.3 juju/juju#ef803e2
Limit read access to the controller model to only trusted users.
{ "nvd_published_at": null, "github_reviewed_at": "2023-03-01T19:17:17Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-73" ] }