{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68153", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-15T20:13:34.486Z", "datePublished": "2026-04-03T15:28:06.191Z", "dateUpdated": "2026-04-04T03:16:56.632Z"}, "containers": {"cna": {"title": "Juju: Resource poisoning", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"}, {"name": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4", "tags": ["x_refsource_MISC"], "url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"}], "affected": [{"vendor": "juju", "product": "juju", "versions": [{"version": ">= 2.9, < 2.9.56", "status": "affected"}, {"version": ">= 3.6, < 3.6.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:28:06.191Z"}, "descriptions": [{"lang": "en", "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."}], "source": {"advisory": "GHSA-245v-p8fj-vwm2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:16:45.400020Z", "id": "CVE-2025-68153", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:16:56.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68153", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-04T03:16:45.400020Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:16:52.887Z"}}], "cna": {"title": "Juju: Resource poisoning", "source": {"advisory": "GHSA-245v-p8fj-vwm2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "juju", "product": "juju", "versions": [{"status": "affected", "version": ">= 2.9, < 2.9.56"}, {"status": "affected", "version": ">= 3.6, < 3.6.19"}]}], "references": [{"url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2", "name": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4", "name": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:28:06.191Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68153", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:16:56.632Z", "dateReserved": "2025-12-15T20:13:34.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:28:06.191Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0EAA4DD-F373-4A67-B571-D3899E1E13CA", "versionEndIncluding": "2.9.55", "versionStartIncluding": "2.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:juju:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EDFE9C5-AB90-4FA2-84FF-C005BE2B6D6F", "versionEndIncluding": "3.6.18", "versionStartIncluding": "3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called \u2018charms\u2019. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19."}], "id": "CVE-2025-68153", "lastModified": "2026-04-21T01:24:01.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:23.357", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.9,2.9.56)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.6,3.6.19)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "juju", "source": "cna", "vendor": "juju"}, "product": "juju", "vendor": "juju"}], "analysis": {"en": {"generated_at": "2026-04-03T18:20:36.991561+00:00", "value": {"mitigation_remediation": ["Upgrade Juju to version 2.9.56 or later", "Upgrade Juju to version 3.6.19 or later"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized resource modification within controller"}, "threat_synthesis": {"affected_systems": "Juju installations running versions 2.9.0 through 2.9.55 and 3.6.0 through 3.6.18 are vulnerable. All users or machines authenticated against any Juju controller can exploit the vulnerability, affecting every application managed by that controller.", "description_and_impact": "Resource poisoning allows an authenticated user, machine or controller to modify the resources of any application located within a Juju controller. This results in unauthorized changes to application configuration or deployment which can lead to loss of control over the application, potential service interruption, and misuse of resources. The weakness is an access control flaw described by CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity. The exploit probability is not documented, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to authenticate to the controller to manipulate resources; thus the vector is authenticated user access. Once accessed, the attacker can alter any application\u2019s resource settings, potentially causing service disruption or other impacts. The risk is significant for environments that rely on strict access controls."}}}}, "created": "2026-04-03T21:13:06.389038+00:00", "updated": "2026-04-03T21:15:18.461677+00:00", "vendors": ["juju", "juju$PRODUCT$juju"]}