← Back to team overview

cloud-init team mailing list archive

[SECURITY] Release of cloud-init 23.1.2


Hello All,

A medium level CVE-2023-1786 was discovered for cloud-init exposing
optional vendor-data or user-data which could be provided to some clouds at
instance launch time. If exposed, sensitive values in vendor-data or
user-data would live in /run/cloud-init/instance-data.json which is a
world-readable file.

The cloud-init release 23.1.2 resolves CVE-2023-1786 by redacting any
potentially nested sensitive config keys that previously could have been
exposed in /run/cloud-init/instance-data.json replacing sensitive content
with "redacted for non-root user".

The Ubuntu security team has published fixes for this to 16.04(ESM), 18.04,
20.04, 22.04, 22.10 and 23.04.

For details see:
- https://github.com/canonical/cloud-init/releases/tag/23.1.2
- https://bugs.launchpad.net/cloud-init/+bug/2013967
- https://ubuntu.com/security/notices/USN-6042-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1786

Many thanks,
upstream cloud-init devs