Cloud Init
CVE-2023-1786
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
AnalysisAI
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-532. Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Affected products include: Canonical Cloud-Init, Canonical Ubuntu Linux, Fedoraproject Fedora. Version information: version 23.1.2..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Cloud Init
View allWhen a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To preven
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init'
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grant
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value,
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today