CVE-2023-1786
Published: 26 April 2023
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
From the Ubuntu Security Team
James Golovich discovered that sensitive data could be exposed in logs. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
Mitigation
The Ubuntu update to address this attempted to redact information in /var/log/cloud-init.log and /run/cloud-init/instance-data.json. Additional logs may require the removal of sensitive information.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cloud-init Launchpad, Ubuntu, Debian |
bionic |
Released
(23.1.2-0ubuntu0~18.04.1)
|
| focal |
Released
(23.1.2-0ubuntu0~20.04.1)
|
|
| jammy |
Released
(23.1.2-0ubuntu0~22.04.1)
|
|
| kinetic |
Released
(23.1.2-0ubuntu0~22.10.1)
|
|
| lunar |
Released
(23.1.2-0ubuntu0~23.04.1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| xenial |
Released
(21.1-19-gbad84ad4-0ubuntu1~16.04.4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(23.2,23.1.2)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |