Comment 3 for bug 1999622

Tracking @ https://github.com/juju/juju/security/advisories/GHSA-x5rv-w9pm-8qp8

The issue was introduced in 2.9.22 via this commit https://github.com/juju/juju/commit/05de4b980f6fbf0884c8c774df66a02bd2498cbb

It allows a user with read access to the controller to read arbitrary files from disk.

Before 2.9.22 the backup ID which is used to read from disk, had validation to ensure the file path contained `juju-backup.tar.gz` and would otherwise fetch the backup from gridfs in mongodb if the ID did not.

Now it allows the user to pass an `ID` unvalidated to `os.Open`, sending the file contents back to the requester.