CVE-2012-6639 : An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requ

An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requests to an untrusted system are submitted for EC2 instance data.

Published 2019-11-25 18:15:12

Updated 2020-08-18 15:05:58

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2012-6639

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 11 Update SP2
cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:*:*:*
Matching versions
Suse » Linux Enterprise Server » Version: 11 Update SP3
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:*:*:*
Matching versions
Canonical » Cloud-init
Versions before (<) 0.7.0
cpe:2.3:a:canonical:cloud-init:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

1.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

https://access.redhat.com/security/cve/cve-2012-6639

Red Hat Customer Portal
Patch;Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2012-6639

CVE-2012-6639
Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/03/06/7

oss-security - Re: CVE request: cloud-init DNS resolution fix
Mailing List;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6639

1073591 – (CVE-2012-6639) CVE-2012-6639 cloud-init: insecure transmission of EC2 instance data can lead to root privilege escalation
Issue Tracking;Third Party Advisory
https://www.securityfocus.com/bid/66019/references

Cloud-init CVE-2012-6639 Remote Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-6639

Bug 867302 – VUL-0: CVE-2012-6639: cloud-init: might access random "instance-data.local.domain" host
Issue Tracking;Third Party Advisory

Jump to