Lucene search

Gentoo FoundationMGASA-2021-0494

HistoryOct 29, 2021 - 10:32 p.m.

Updated cloud-init packages fix security vulnerability

2021-10-2922:32:22

Gentoo Foundation

advisories.mageia.org

cloud-init

randomized password

vulnerability

log file

local user

cve-2021-3429

unix

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

5.1%

JSON

cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: ‘chpasswd: list: | user1:RANDOM’ When instructing cloud-init to set a random password for a new user account, versions before 21.1.19 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user (CVE-2021-3429).

OSVersionArchitecturePackageVersionFilename
Mageia8noarchcloud-init< 20.2-2.1cloud-init-20.2-2.1.mga8

OS	Version	Architecture	Package	Version	Filename
Mageia	8	noarch	cloud-init	< 20.2-2.1	cloud-init-20.2-2.1.mga8

References

bugs.mageia.org/show_bug.cgi?id=28991

github.com/canonical/cloud-init/releases/tag/21.2

www.debian.org/lts/security/2021/dla-2601

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

5.1%

JSON

Related for MGASA-2021-0494