Bug#985540: cloud-init logs sensitive password data to world-readable files
Package: cloud-init
Version: 20.4-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
cloud-init has the ability to generate and set a randomized password for
system users. This functionality is enabled at runtime by passing
cloud-config data such as:
chpasswd:
list: |
user1:RANDOM
When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.
This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668
This issue has been allocated CVE-2021-3429.
Reply to: