CVE-2023-1786 — Log File Information Exposure in LTD Cloud-init

CWE-532 — Log File Information Exposure CWE-200 — Sensitive Information Exposure8 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 89.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical LTD Cloud-init Canonical Cloud-init Canonical Ubuntu Linux +1 more

Timeline

PublishedApr 26

Latest updateApr 27

Description

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDcanonical/cloud-init< 23.1.2

▶CVEListV5canonical_ltd/cloud-init< 23.1.2

▶Debiancanonical/cloud-init< 23.2-1+1

Also affects: Fedora 38, Ubuntu Linux 16.04, 18.04, 20.04, 22.04, 22.10, 23.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-2vcw-8vc6-xxfw: Sensitive data could be exposed in logs of cloud-init before version 23↗2023-04-27

▶

OSV

CVE-2023-1786: Sensitive data could be exposed in logs of cloud-init before version 23↗2023-04-26

▶

CVEList

sensitive data exposure in cloud-init logs↗2023-04-26

▶

📋Vendor Advisories

Red Hat

cloud-init: sensitive data could be exposed in logs↗2023-04-27

▶

Ubuntu

Cloud-init vulnerability↗2023-04-26

▶

Microsoft

sensitive data exposure in cloud-init logs↗2023-04-11

▶

Debian

CVE-2023-1786: cloud-init - Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An ...↗2023

▶