VDB
CVE-2025-0928
CVE-2025-0928
PUBLISHED
CVSS 8.800000190734863 HIGH
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
EPSS 2.32% · 85.1th percentile
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
2.32%
85.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Juju | 2.0.0, 3.0.0 |
| github.com | juju/juju | 0 |
| canonical | juju | 0, 3.0 |
Timeline
- Jul 8, 2025 Coalition ESS Score
- Jul 8, 2025 CVE Published
- Jul 8, 2025 PoC Published
- Jul 9, 2025 EPSS Score
- Jul 9, 2025 Coalition ESS Score
- Jul 10, 2025 Coalition ESS Score
- Jul 18, 2025 EPSS Score
- Jul 28, 2025 EPSS Score
- Aug 6, 2025 EPSS Score
- Aug 16, 2025 EPSS Score
- Aug 25, 2025 EPSS Score
- Aug 26, 2025 Coalition ESS Score
References
- https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv url
- https://nvd.nist.gov/vuln/detail/CVE-2025-0928 advisory
- https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e url
- https://github.com/juju/juju/commit/311e374cb8d2431032c51fb3fb5c4b0aaaa7196c url
- https://github.com/juju/juju/commit/4034aa13c7cf5a37427fcd032925d5d21955b096 url
- https://github.com/juju/juju/commit/b4176e6e45c2c3c817ab60b39e2d52f9a11a5ddf url
- https://github.com/juju/juju package
- https://pkg.go.dev/vuln/GO-2025-3805 url