The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/juju/juju(Go) | 0 | 0.0.0-20250619215741-6356e984b82a | N/A |
CVSS Metrics
