Password Guessing Vulnerability in Cloud-init by Canonical
CVE-2020-8632

5.5MEDIUM

Key Information:

Vendor

Canonical

Status
Cloud-init
Vendor
CVE Published:
5 February 2020

What is CVE-2020-8632?

A vulnerability exists in Cloud-init versions prior to 20.1 where the 'rand_user_password' function in 'cloudinit/config/cc_set_passwords.py' has a small default password length value. This weakness can make it easier for attackers to guess user passwords, potentially compromising the security of cloud instances configured with the software. Users are recommended to update to the latest version to mitigate this risk.

References

https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug...
x_refsource_MISC
https://github.com/canonical/cloud-init/pull/189
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/02/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-8632 : Password Guessing Vulnerability in Cloud-init by Canonical