Description
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
Issue Tracking issue-tracking
https://bugs.launchpad.net/cloud-init/+bug/2013967
Third Party Advisory vendor-advisory
https://ubuntu.com/security/notices/USN-6042-1
Scores
CVSS v3
5.5
EPSS
0.0003
EPSS Percentile
10.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (8)
canonical/cloud-init
< 23.1.2
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
20.04
canonical/ubuntu_linux
22.04
canonical/ubuntu_linux
22.10
canonical/ubuntu_linux
23.04
fedoraproject/fedora
38
Published
Apr 26, 2023
Tracked Since
Feb 18, 2026