[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985540: cloud-init logs sensitive password data to world-readable files

Package: cloud-init
Version: 20.4-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

cloud-init has the ability to generate and set a randomized password for
system users.  This functionality is enabled at runtime by passing
cloud-config data such as:

       list: |

When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.

This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668

This issue has been allocated CVE-2021-3429.

Reply to: