systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.
Ubuntu bug report:
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1716956]
The fix implemented in  seems to cause a regression, which was reported upstream at . It is still not clear what the right fix for this CVE will be, as there is a PR under review to revert the fix 
To see the leaked passwords in VT1, the attacker needs to either be root or be physically in front of the computer (AV:P). Also, it's required for the victim users to be physically in front of the computer as well and login after the vulnerability is triggered (UI:R).
Given what said in comment 5, I'm lowering the Impact to Moderate.
The fix that supposedly should had fixed this CVE was actually reverted upstream in https://github.com/systemd/systemd/commit/ad3f86e6a4e5f2d5d64c81f9a30f250b624284fa .