Candidate: CVE-2020-8632
PublicDate: 2020-02-05 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632
 https://github.com/canonical/cloud-init/pull/189
Description:
 In cloud-init through 19.4, rand_user_password in
 cloudinit/config/cc_set_passwords.py has a small default pwlen value, which
 makes it easier for attackers to guess passwords.
Ubuntu-Description:
Notes:
 ccdm94> This CVE has been patched in Xenial ESM. The patch, however, has been      
 ccdm94> added only to the updates pocket, and since cloud-init is only used
 ccdm94> during first boot (pulling from updates), there should not be a need 
 ccdm94> to add this to the security pocket.
Mitigation:
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795
Priority: low
Discovered-by: Dimitri John Ledkov
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]


Patches_cloud-init:
 upstream: https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14
upstream_cloud-init: released (20.1)
precise/esm_cloud-init: DNE
trusty_cloud-init: ignored (out of standard support)
trusty/esm_cloud-init: DNE
xenial_cloud-init: ignored (end of standard support, was needed)
esm-infra/xenial_cloud-init: ignored (patched version in updates pocket)
bionic_cloud-init: released (20.2-45-g5f7825e2-0ubuntu1~18.04.1)
eoan_cloud-init: ignored (reached end-of-life)
focal_cloud-init: released (20.1-10-g71af48df-0ubuntu5)
groovy_cloud-init: released (19.4-56-g06e324ff-0ubuntu1)
hirsute_cloud-init: released (21.1-19-gbad84ad4-0ubuntu2)
impish_cloud-init: released (21.3-1-g6803368d-0ubuntu3)
jammy_cloud-init: released (21.4-25-g039c40f9-0ubuntu1~22.04.1)
devel_cloud-init: released (21.4-25-g039c40f9-0ubuntu1~22.04.1)