
Impact Any user with a Juju account on a controller can read debug log messages from the /log endpoint. No specific permissions are required – it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. Details The /log endpoint is accessible at the following endpoints: – wss://<controller-ip>/log – wss://<controller-ip>/model/<model-uuid>/log In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them. To reproduce: juju bootstrap juju add-user testuser juju change-user-password testuser Run the wscat command below to connect to wss://<controller-ip>:17070/api. Update the JSON payload to include the username and password that were created above. wscat –no-check -c wss://contorller-ip:17070/model/modelUUID/api { "type": "Admin", "request": "Login", "version": 3, "params": { "client- version": "3.6.1.0", "auth-tag": "user-testuser", "credentials": " password" } } Observe that the connection fails due to a lack of permissions. Run the command below to connect to the log endpoint. Note that the credentials are passed in the –auth flag. wscat –auth user-testuser:password -H "X-Juju-ClientVersion: 3.6.4" –no-check -c wss://<controller-ip>:17070/log Observe that the logs are returned in the…Read More
References
Back to Main