CVE-2023-1786
Publication date 26 April 2023
Last updated 24 July 2024
Ubuntu priority
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
From the Ubuntu Security Team
James Golovich discovered that sensitive data could be exposed in logs. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
Mitigation
The Ubuntu update to address this attempted to redact information in /var/log/cloud-init.log and /run/cloud-init/instance-data.json. Additional logs may require the removal of sensitive information.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cloud-init | ||
| 22.04 LTS jammy |
Fixed 23.1.2-0ubuntu0~22.04.1
|
|
| 20.04 LTS focal |
Fixed 23.1.2-0ubuntu0~20.04.1
|
|
| 18.04 LTS bionic |
Fixed 23.1.2-0ubuntu0~18.04.1
|
|
| 16.04 LTS xenial |
Fixed 21.1-19-gbad84ad4-0ubuntu1~16.04.4
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6042-1
- Cloud-init vulnerability
- 26 April 2023