DebianDEBIAN:DLA-2113-1:6D037[SECURITY] [DLA 2113-1] cloud-init security update
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
13.1%
Package : cloud-init
Version : 0.7.6~bzr976-2+deb8u1
CVE ID : CVE-2020-8631 CVE-2020-8632
Debian Bug : 951362 951363
CVE-2020-8631
In cloud-init, relies on Mersenne Twister for a random password,
which makes it easier for attackers to predict passwords, because
rand_str in cloudinit/util.py calls the random.choice function.
CVE-2020-8632
In cloud-init, rand_user_password in
cloudinit/config/cc_set_passwords.py has a small default pwlen
value, which makes it easier for attackers to guess passwords.
For Debian 8 "Jessie", these problems have been fixed in version
0.7.6~bzr976-2+deb8u1.
We recommend that you upgrade your cloud-init packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | all | cloud-init | < 0.7.6~bzr976-2+deb8u1 | cloud-init_0.7.6~bzr976-2+deb8u1_all.deb |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
13.1%