It allows a user with read access to the controller to read arbitrary files from disk.
Before 2.9.22 the backup ID which is used to read from disk, had validation to ensure the file path contained `juju-backup.tar.gz` and would otherwise fetch the backup from gridfs in mongodb if the ID did not.
Now it allows the user to pass an `ID` unvalidated to `os.Open`, sending the file contents back to the requester.
Tracking @ https:/ /github. com/juju/ juju/security/ advisories/ GHSA-x5rv- w9pm-8qp8
The issue was introduced in 2.9.22 via this commit https:/ /github. com/juju/ juju/commit/ 05de4b980f6fbf0 884c8c774df66a0 2bd2498cbb
It allows a user with read access to the controller to read arbitrary files from disk.
Before 2.9.22 the backup ID which is used to read from disk, had validation to ensure the file path contained `juju-backup. tar.gz` and would otherwise fetch the backup from gridfs in mongodb if the ID did not.
Now it allows the user to pass an `ID` unvalidated to `os.Open`, sending the file contents back to the requester.