A flaw was found in cloud-init. When a system is configured through cloud-init and the "Set Passwords" module is used with "chpasswd" directive and "RANDOM", the randomly generated password for the relative user is written in clear-text in a file readable by any existing user of the system. The highest threat from this vulnerability is to data confidentiality and it may allow a local attacker to log in as another user.
A flaw was found in cloud-init. When a system is configured through cloud-init and the "Set Passwords" module is used with "chpasswd" directive and "RANDOM", the randomly generated password for the relative user is written in clear-text in a file readable by any existing user of the system. The highest threat from this vulnerability is to data confidentiality and it may allow a local attacker to log in as another user.
By default the randomly password generated by "chpasswd" must be changed on the first login of the user. That means that once a user accesses the system for the first time, the random password in the log file cannot be used anymore. However it is possible to configure an extended validity period for the random password, thus the actual impact of this password leak may vary based on the environment and how the systems are configured through cloud-init.
Vulmon