Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-0928

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 9 months ago

Arbitrary executable upload via authenticated endpoint

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

References

https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv

Affected products

juju

<2.9.52
<3.6.8

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

nixos-unstable 3.6.5
- nixpkgs-unstable 3.6.5
- nixos-unstable-small 3.6.5

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

nixos-unstable 0.30.0
- nixpkgs-unstable 0.30.0
- nixos-unstable-small 0.30.0

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2

Package maintainers

@RealityAnomaly Alex Zero <alex@arctarus.co.uk>
@emilazy Emily <nixpkgs@emily.moe>
@bbigras Bruno Bigras <bigras.bruno@gmail.com>
@thoughtpolice Austin Seipp <aseipp@pobox.com>
@0x4A6F Joachim Ernst <mail-maintainer@0x4A6F.dev>