CVE-2019-0816 — Use of Incorrectly-Resolved Name or Reference in Cloud-init

CWE-706 — Use of Incorrectly-Resolved Name or Reference CWE-285 — Improper Authorization9 documents7 sources

Severity

5.1MEDIUMNVD

EPSS

0.1%

top 71.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Cloud-init Debian Cloud-init Microsoft Ubuntu Server +2 more

Timeline

PublishedApr 9

Latest updateMay 13

Description

A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init, aka 'Azure SSH Keypairs Security Feature Bypass Vulnerability'.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 1.4 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/cloud-init< cloud-init 18.3-6 (bookworm)

▶Debiancanonical/cloud-init< 18.3-6+3

▶CVEListV5microsoft/ubuntu_server18.04-LTS

▶msrcmsrc/ubuntuserver_18.04-lts

Also affects: Ubuntu Linux 18.04

🔴Vulnerability Details

GHSA

GHSA-gjp8-2rjx-f9mg: A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init, aka 'Azur↗2022-05-13

▶

OSV

CVE-2019-0816: A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init, aka 'Azur↗2019-04-09

▶

📋Vendor Advisories

Microsoft

Azure SSH Keypairs Security Feature Bypass Vulnerability↗2019-03-12

▶

Red Hat

cloud-init: extra ssh keys added to authorized_keys on the Azure platform↗2019-03-05

▶

Debian

CVE-2019-0816: cloud-init - A security feature bypass exists in Azure SSH Keypairs, due to a change in the p...↗2019

▶

💬Community

Bugzilla

CVE-2019-0816 cloud-init: extra ssh keys added to authorized_keys [epel-6]↗2019-03-13

▶

Bugzilla

CVE-2019-0816 cloud-init: extra ssh keys added to authorized_keys [fedora-all]↗2019-03-13

▶

Bugzilla

CVE-2019-0816 cloud-init: extra ssh keys added to authorized_keys on the Azure platform↗2019-02-22

▶