Bug#985540: cloud-init logs sensitive password data to world-readable files
Tags: security upstream patch
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <firstname.lastname@example.org>
cloud-init has the ability to generate and set a randomized password for
system users. This functionality is enabled at runtime by passing
cloud-config data such as:
When used this way, cloud-init logs the raw, unhashed password to a
world-readable local file.
This is fixed in upstream commit https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668
This issue has been allocated CVE-2021-3429.