CVE-2023-1786

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
canonicalcloud-init
𝑥
< 23.1.2
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
20.04
canonicalubuntu_linux
22.04
canonicalubuntu_linux
22.10
canonicalubuntu_linux
23.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cloud-init
bookworm
no-dsa
bullseye
no-dsa
buster
no-dsa
sid
24.4-1
fixed
trixie
24.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cloud-init
bionic
Fixed 23.1.2-0ubuntu0~18.04.1
released
focal
Fixed 23.1.2-0ubuntu0~20.04.1
released
jammy
Fixed 23.1.2-0ubuntu0~22.04.1
released
kinetic
Fixed 23.1.2-0ubuntu0~22.10.1
released
lunar
Fixed 23.1.2-0ubuntu0~23.04.1
released
trusty
ignored
xenial
Fixed 21.1-19-gbad84ad4-0ubuntu1~16.04.4
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cloud-init
suse enterprise sap 15 SP1
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP2
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP3
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP4
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP5
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP6
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP7
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP1
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP2
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP3
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP4
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP5
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP6
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP7
23.3-150100.8.71.1
fixed
cloud-init-config-suse
suse enterprise sap 15 SP1
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP2
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP3
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP4
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP5
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP6
23.3-150100.8.71.1
fixed
suse enterprise sap 15 SP7
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP1
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP2
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP3
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP4
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP5
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP6
23.3-150100.8.71.1
fixed
suse enterprise server 15 SP7
23.3-150100.8.71.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
cloud-init
RHEL 9
0:23.1.1-11.el9
fixed
Common Weakness Enumeration
References
https://bugs.launchpad.net/cloud-init/+bug/2013967
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
https://ubuntu.com/security/notices/USN-6042-1
https://bugs.launchpad.net/cloud-init/+bug/2013967
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
https://ubuntu.com/security/notices/USN-6042-1