CVE-2025-15480
CRITICALSenstive information disclosure was affecting ubuntu-desktop-provision
Title source: cnaDescription
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
References (2)
Core 2
Core References
Patch patch
issue-tracking
feat: don't log identity data (noble backport)
https://github.com/canonical/ubuntu-desktop-provision/pull/1400
Patch patch
issue-tracking
feat: don't log identity data
https://github.com/canonical/ubuntu-desktop-provision/pull/1399
Scores
CVSS v3
9.1
EPSS
0.0006
EPSS Percentile
17.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1258
Status
published
Products (4)
Canonical/Ubuntu
< 24.04.4
Canonical/Ubuntu
< 25.04
Canonical/Ubuntu
< 25.10
canonical/ubuntu_desktop_provision
24.04.4
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026