PT-2023-12253 · Unknown+5 · Cloud-Init+5

Carl Pearson

Published

2021-03-20

Updated

2024-06-15

CVE-2021-3429

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions cloud-init versions prior to 21.2 cloud-init versions prior to 21.1.19

Description When instructing cloud-init to set a random password for a new user account, the password would be written to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.

Recommendations For versions prior to 21.2, update to version 21.2 or later to resolve the issue. For versions prior to 21.1.19, update to version 21.1.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the /var/log/cloud-init-output.log file to minimize the risk of exploitation.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

ALT-PU-2021-1872

CESA-2021_3081

CVE-2021-3429

DLA-2601-1

MGASA-2021-0494

OESA-2021-1372

OPENSUSE-SU-2024:13053-1

RHSA-2021:3081

RHSA-2021:3177

RHSA-2021:3371

RHSA-2021_3081

RLSA-2021:3081

SUSE-FU-2023:3283-1

SUSE-SU-2023:2164-1

SUSE-SU-2023_2164-1

Affected Products

Alt Linux

Centos

Red Hat

Rocky Linux

Suse

Cloud-Init

PT-2023-12253 · Unknown+5 · Cloud-Init+5

CVE-2021-3429

Weakness Enumeration

Related Identifiers

Affected Products

References · 36