CVE-2022-2084

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
canonicalCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
canonicalcloud-init
𝑥
< 22.3
canonicalubuntu_linux
18.04
canonicalubuntu_linux
20.04
canonicalubuntu_linux
21.10
canonicalubuntu_linux
22.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cloud-init
bullseye
20.4.1-2+deb11u1
not-affected
buster
not-affected
bookworm
22.4.2-1+deb12u1
fixed
sid
24.3.1-2
fixed
trixie
24.3.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cloud-init
kinetic
Fixed 22.2-64-g1fcd55d6-0ubuntu1~22.10.1
released
jammy
Fixed 22.2-0ubuntu1~22.04.3
released
impish
Fixed 22.2-0ubuntu1~21.10.3
released
focal
Fixed 22.2-0ubuntu1~20.04.3
released
bionic
Fixed 22.2-0ubuntu1~18.04.3
released
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c
https://ubuntu.com/security/notices/USN-5496-1
https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c
https://ubuntu.com/security/notices/USN-5496-1