2190079 – (CVE-2023-1786) CVE-2023-1786 cloud-init: sensitive data could be exposed in logs

Bug 2190079 (CVE-2023-1786) - CVE-2023-1786 cloud-init: sensitive data could be exposed in logs

Summary: CVE-2023-1786 cloud-init: sensitive data could be exposed in logs

Keywords:
Status:	NEW
Alias:	CVE-2023-1786
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2190081 2190083 2190082
Blocks:	2190077
TreeView+	depends on / blocked

Reported:	2023-04-27 05:31 UTC by Sandipan Roy
Modified:	2023-07-07 08:32 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in cloud-init. With this flaw, exposure of sensitive data is possible in world-readable cloud-init logs. This flaw allows an attacker to use this information to find hashed passwords and possibly escalate their privilege.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Sandipan Roy 2023-04-27 05:31:52 UTC

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

https://bugs.launchpad.net/cloud-init/+bug/2013967
https://ubuntu.com/security/notices/USN-6042-1
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b

Comment 1 Sandipan Roy 2023-04-27 05:38:27 UTC

Created cloud-init tracking bugs for this issue:

Affects: fedora-all [bug 2190082]

Note You need to log in before you can comment on or make changes to this bug.