sensitive data exposure in cloud-init logs
CVE-2022-2084

5.5MEDIUM

Key Information:

Vendor

Canonical Ltd.

Status
Cloud-init
Vendor
CVE Published:
19 April 2023

What is CVE-2022-2084?

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

Affected Version(s)

cloud-init Linux 0 < 23.0

References

https://github.com/canonical/cloud-init/commit/4d467b1436...
patch
https://ubuntu.com/security/notices/USN-5496-1
vendor-advisory

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mike Stroyan
.
CVE-2022-2084 : sensitive data exposure in cloud-init logs