cloud-init team mailing list archive
Mailing list archive
[SECURITY] Release of cloud-init 23.1.2
A medium level CVE-2023-1786 was discovered for cloud-init exposing
optional vendor-data or user-data which could be provided to some clouds at
instance launch time. If exposed, sensitive values in vendor-data or
user-data would live in /run/cloud-init/instance-data.json which is a
The cloud-init release 23.1.2 resolves CVE-2023-1786 by redacting any
potentially nested sensitive config keys that previously could have been
exposed in /run/cloud-init/instance-data.json replacing sensitive content
with "redacted for non-root user".
The Ubuntu security team has published fixes for this to 16.04(ESM), 18.04,
20.04, 22.04, 22.10 and 23.04.
For details see:
upstream cloud-init devs