Candidate: CVE-2021-3429
PublicDate: 2021-03-26 00:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3429
 https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668
Description:
 When instructing cloud-init to set a random password for a new user
 account, versions before 21.1.19 would write that password to the
 world-readable log file /var/log/cloud-init-output.log. This could allow a
 local user to log in as another user.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985540
 https://bugs.launchpad.net/cloud-init/+bug/1918303
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 ubuntu: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L [6.6 MEDIUM]


Patches_cloud-init:
 upstream: https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668
upstream_cloud-init: released (20.4.1-2)
precise/esm_cloud-init: DNE
trusty_cloud-init: ignored (out of standard support)
trusty/esm_cloud-init: DNE
xenial_cloud-init: released (21.1-19-gbad84ad4-0ubuntu1~16.04.1)
esm-infra/xenial_cloud-init: released (21.1-19-gbad84ad4-0ubuntu1~16.04.1)
bionic_cloud-init: released (21.1-19-gbad84ad4-0ubuntu1~18.04.1)
focal_cloud-init: released (21.1-19-gbad84ad4-0ubuntu1~20.04.1)
groovy_cloud-init: released (21.1-19-gbad84ad4-0ubuntu1~20.10.1)
devel_cloud-init: not-affected (21.1-19-gbad84ad4-0ubuntu2)