Latest canonical cloud-init Vulnerabilities

CVE-2023-1786
Canonical cloud-init could allow a local authenticated attacker to obtain sensitive information, caused by the storage of sensitive data in the log files. By gaining access to the log files, an attack...
debian/cloud-init<=20.2-2~deb10u2<=20.4.1-2+deb11u1<=22.4.2-1
ubuntu/cloud-init<23.1.2-0ubuntu0~18.04.1
ubuntu/cloud-init<23.1.2-0ubuntu0~20.04.1
ubuntu/cloud-init<23.1.2-0ubuntu0~22.04.1
ubuntu/cloud-init<23.1.2-0ubuntu0~22.10.1
ubuntu/cloud-init<23.1.2-0ubuntu0~23.04.1
and 11 more
CVE-2021-3429
When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could al...
Canonical cloud-init<21.2
CVE-2022-2084
Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
ubuntu/cloud-init<22.2-0ubuntu1~18.04.3
ubuntu/cloud-init<22.2-0ubuntu1~20.04.3
ubuntu/cloud-init<22.2-0ubuntu1~21.10.3
ubuntu/cloud-init<22.2-0ubuntu1~22.04.3
ubuntu/cloud-init<22.2-64-
ubuntu/cloud-init<22.3
and 6 more
CVE-2020-8631
cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice functi...
Canonical cloud-init<=19.4
openSUSE Leap=15.1
Debian Debian Linux=8.0
CVE-2020-8632
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
Canonical cloud-init<=19.4
openSUSE Leap=15.1
Debian Debian Linux=8.0
CVE-2012-6639
An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requests to an untrusted system are submitted for EC2 instance data.
debian/cloud-init
Canonical cloud-init<0.7.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
SUSE Linux Enterprise Server=11-sp2
and 1 more
CVE-2018-10896
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances ...
Canonical cloud-init>=0.6.2<18.4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203