CVE-2021-3429

Publication date 19 April 2023

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cloud-init	20.10 groovy	Fixed 21.1-19-gbad84ad4-0ubuntu1~20.10.1
	20.04 LTS focal	Fixed 21.1-19-gbad84ad4-0ubuntu1~20.04.1
	18.04 LTS bionic	Fixed 21.1-19-gbad84ad4-0ubuntu1~18.04.1
	16.04 LTS xenial	Fixed 21.1-19-gbad84ad4-0ubuntu1~16.04.1
	14.04 LTS trusty	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
cloud-init	Upstream: b794d42

Severity score breakdown

CVSS version: CVSS v3.0

Base score 5.5 · Medium

Base metrics

Parameter	Value
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality impact	High
Integrity impact	None
Availability impact	None

Scores

Parameter	Value
Base score	5.5 · Medium
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Other references

https://www.cve.org/CVERecord?id=CVE-2021-3429