PT-2020-20241 · Canonical+4 · Cloud-Init+4

Dimitri John Ledkov

Published

2020-02-05

Updated

2024-06-15

CVE-2020-8631

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions cloud-init versions prior to 19.4

Description The issue is related to the use of Mersenne Twister for generating random passwords, which can make it easier for attackers to predict passwords. This is because the rand str function in cloudinit/util.py calls the random.choice function.

Recommendations For cloud-init versions prior to 19.4, consider updating to a version that uses a more secure random number generator to mitigate the risk of password prediction. As a temporary workaround, consider generating passwords manually using a secure method until a patched version is available.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

ALT-PU-2020-1691

ALT-PU-2020-1866

CESA-2020_3898

CESA-2020_4650

CVE-2020-8631

DLA-2113-1

MGASA-2020-0295

OPENSUSE-SU-2020:0400-1

OPENSUSE-SU-2020_0400-1

OPENSUSE-SU-2024:10688-1

RHSA-2020:3898

RHSA-2020:4650

RHSA-2020_3898

RHSA-2020_4650

SUSE-SU-2020:0585-1

SUSE-SU-2020:0751-1

SUSE-SU-2020:0818-1

SUSE-SU-2020_0585-1

SUSE-SU-2020_0751-1

SUSE-SU-2020_0818-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Cloud-Init

PT-2020-20241 · Canonical+4 · Cloud-Init+4

CVE-2020-8631

Weakness Enumeration

Related Identifiers

Affected Products

References · 34