CVE-2023-1786

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
canonicalCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
VendorProductVersion
canonicalcloud-init
𝑥
< 23.1.2
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
20.04
canonicalubuntu_linux
22.04
canonicalubuntu_linux
22.10
canonicalubuntu_linux
23.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cloud-init
bullseye
no-dsa
bookworm
no-dsa
buster
no-dsa
trixie
24.4-1
fixed
sid
24.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cloud-init
lunar
Fixed 23.1.2-0ubuntu0~23.04.1
released
kinetic
Fixed 23.1.2-0ubuntu0~22.10.1
released
jammy
Fixed 23.1.2-0ubuntu0~22.04.1
released
focal
Fixed 23.1.2-0ubuntu0~20.04.1
released
bionic
Fixed 23.1.2-0ubuntu0~18.04.1
released
xenial
Fixed 21.1-19-gbad84ad4-0ubuntu1~16.04.4
released
trusty
ignored
Common Weakness Enumeration
References
https://bugs.launchpad.net/cloud-init/+bug/2013967
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
https://ubuntu.com/security/notices/USN-6042-1
https://bugs.launchpad.net/cloud-init/+bug/2013967
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
https://ubuntu.com/security/notices/USN-6042-1