CVE-2017-10600

Name of the Vulnerable Software and Affected Versions ubuntu-image version 1.0 before 2017-07-07

Description The issue allows a local attacker with the same uid as the image creator to have unintended access to cloud-init and snapd directories when the resulting image is booted. This occurs because ubuntu-image, when invoked as non-root, creates files in the resulting image with the uid of the invoking user.

Recommendations For ubuntu-image version 1.0 before 2017-07-07, consider running the command as root or ensuring that the invoking user's uid does not match any local user on the resulting image to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.