Published: 26 April 2023
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
From the Ubuntu Security Team
James Golovich discovered that sensitive data could be exposed in logs. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
The Ubuntu update to address this attempted to redact information in /var/log/cloud-init.log and /run/cloud-init/instance-data.json. Additional logs may require the removal of sensitive information.
Launchpad, Ubuntu, Debian
(end of standard support)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Severity score breakdown