Skip to main content

Cloud Init

6 CVEs product

Monthly

CVE-2024-6174 HIGH PATCH This Week

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Authentication Bypass Ubuntu Debian Cloud Init Red Hat +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-11584 MEDIUM PATCH This Month

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Information Disclosure Ubuntu Debian Cloud Init Red Hat +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2023-1786 MEDIUM PATCH This Month

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Cloud Init Ubuntu Linux Fedora
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-8632 MEDIUM PATCH This Month

In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Brute Force Cloud Init Leap Debian Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-8631 MEDIUM PATCH This Month

cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Cloud Init Leap Debian Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2018-10896 HIGH PATCH This Week

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

Information Disclosure Cloud Init
NVD
CVSS 3.1
7.1
EPSS
0.4%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Authentication Bypass Ubuntu Debian +3
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Information Disclosure Ubuntu Debian +3
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Cloud Init Ubuntu Linux +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Brute Force Cloud Init +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Cloud Init Leap +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

Information Disclosure Cloud Init
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy