CVE-2024-11584

Medium CVSS: 5.9

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Vendor

Canonical

Product

Cloud-init

CWE

CWE-732

Yayın Tarihi

2025-06-26 10:15:24

Güncelleme

2025-09-05 15:20:25

Source Identifier

security@ubuntu.com

KEV Date Added

Kategoriler

CWE-732 Cloud-init MEDIUM Canonical 2025

Referanslar

https://github.com/canonical/cloud-init/pull/6265/commits/6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3 https://github.com/canonical/cloud-init/releases/tag/25.1.3

Benzer Kayıtlar

Critical

CVE-2026-4370

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the inter…

Medium

CVE-2026-32694

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret o…

Medium

CVE-2026-32691

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit…

High

CVE-2026-32692

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18…

High

CVE-2026-32693

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which…

Low

CVE-2026-3351

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated,…