PT-2023-12253 · Unknown+5 · Cloud-Init+5

Carl Pearson

Publicado

2021-03-20

Atualizado

2024-06-15

CVE-2021-3429

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions cloud-init versions prior to 21.2 cloud-init versions prior to 21.1.19

Description When instructing cloud-init to set a random password for a new user account, the password would be written to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.

Recommendations For versions prior to 21.2, update to version 21.2 or later to resolve the issue. For versions prior to 21.1.19, update to version 21.1.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the /var/log/cloud-init-output.log file to minimize the risk of exploitation.

Correção

Insertion into Log File

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-532

Identificadores relacionados

ALT-PU-2021-1872

CESA-2021_3081

CVE-2021-3429

DLA-2601-1

MGASA-2021-0494

OESA-2021-1372

OPENSUSE-SU-2024:13053-1

RHSA-2021:3081

RHSA-2021:3177

RHSA-2021:3371

RHSA-2021_3081

RLSA-2021:3081

SUSE-FU-2023:3283-1

SUSE-SU-2023:2164-1

SUSE-SU-2023_2164-1

Produtos afetados

Alt Linux

Centos

Red Hat

Rocky Linux

Suse

Cloud-Init

PT-2023-12253 · Unknown+5 · Cloud-Init+5

CVE-2021-3429

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 36