CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2012-6639
https://notcve.org/view.php?id=CVE-2012-6639
An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requests to an untrusted system are submitted for EC2 instance data. Se presenta una vulnerabilidad de elevación de privilegios en Cloud-init versiones anteriores a 0.7.0, cuando se envían peticiones a un sistema no confiable para datos de la instancia EC2. • http://www.openwall.com/lists/oss-security/2014/03/06/7 https://access.redhat.com/security/cve/cve-2012-6639 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6639 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-6639 https://security-tracker.debian.org/tracker/CVE-2012-6639 https://www.securityfocus.com/bid/66019/references • CWE-269: Improper Privilege Management •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10896 – cloud-init: default configuration disabled deletion of SSH host keys
https://notcve.org/view.php?id=CVE-2018-10896
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. La configuración por defecto en cloud-init, en versiones a partir de la 0.6.2, incluía "ssh_deletekeys: 0", deshabilitando la eliminación de cloud-init de claves de host ssh. En algunos entornos, esto podría conducir a que se creen instancias creadas al clonar un sistema golden master o template, a que se compartan claves de host ssh o a que se pueda suplantar a otro o llevar a cabo ataques de Man-in-the-Middle (MitM). The default cloud-init configuration included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. • https://bugs.launchpad.net/cloud-init/+bug/1781094 https://bugzilla.redhat.com/show_bug.cgi?id=1574338 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10896 https://access.redhat.com/security/cve/CVE-2018-10896 https://bugzilla.redhat.com/show_bug.cgi?id=1598831 • CWE-321: Use of Hard-coded Cryptographic Key •