CVE-2023-1786

EUVD-2023-23991
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
canonicalCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
canonicalcloud-init
𝑥
< 23.1.2
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
20.04
canonicalubuntu_linux
22.04
canonicalubuntu_linux
22.10
canonicalubuntu_linux
23.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cloud-init
bookworm
no-dsa
bullseye
no-dsa
buster
no-dsa
sid
24.4-1
fixed
trixie
24.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cloud-init
bionic
Fixed 23.1.2-0ubuntu0~18.04.1
released
focal
Fixed 23.1.2-0ubuntu0~20.04.1
released
jammy
Fixed 23.1.2-0ubuntu0~22.04.1
released
kinetic
Fixed 23.1.2-0ubuntu0~22.10.1
released
lunar
Fixed 23.1.2-0ubuntu0~23.04.1
released
trusty
ignored
xenial
Fixed 21.1-19-gbad84ad4-0ubuntu1~16.04.4
released
Common Weakness Enumeration
References
https://bugs.launchpad.net/cloud-init/+bug/2013967
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
https://ubuntu.com/security/notices/USN-6042-1
https://bugs.launchpad.net/cloud-init/+bug/2013967
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
https://ubuntu.com/security/notices/USN-6042-1