CVE-2022-2084

CWE-532 — Log File Information Exposure CWE-200 — Information Exposure8 documents8 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 93.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Ltd. Cloud-init Canonical Cloud-init Canonical Ubuntu Linux

Timeline

PublishedApr 19

Latest updateApr 20

Description

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDcanonical/cloud-init< 22.3

▶CVEListV5canonical_ltd./cloud-init< 23.0

▶Debiancloud-init< 22.2-2+2

Also affects: Ubuntu Linux 18.04, 20.04, 21.10, 22.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-w62x-qh57-5m94: Sensitive data could be exposed in world readable logs of cloud-init before version 22↗2023-04-20

▶

CVEList

sensitive data exposure in cloud-init logs↗2023-04-19

▶

OSV

CVE-2022-2084: Sensitive data could be exposed in world readable logs of cloud-init before version 22↗2023-04-19

▶

📋Vendor Advisories

Red Hat

cloud-init: vulnerable to expose sensitive information↗2023-04-20

▶

Microsoft

sensitive data exposure in cloud-init logs↗2023-04-11

▶

Ubuntu

cloud-init vulnerability↗2022-06-29

▶

Debian

CVE-2022-2084: cloud-init - Sensitive data could be exposed in world readable logs of cloud-init before vers...↗2022

▶