CVE-2020-11932 : It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS

It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS full disk encryption password if one was entered.

Published 2020-05-13 01:15:12

Updated 2020-08-03 18:15:12

Source Canonical Ltd.

View at NVD, CVE.org

Products affected by CVE-2020-11932

Canonical » Subiquity
Versions before (<) 20.05.2
cpe:2.3:a:canonical:subiquity:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

1.71%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 81 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
2.3	LOW	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N	0.8	1.4	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
2.3	LOW	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N	0.8	1.4	Canonical Ltd.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

https://github.com/CanonicalLtd/subiquity/commit/7db70650feaf513d7fb6f1ca07f2d670a0890613

write the dm_crypt key to a keyfile, not curtin config · CanonicalLtd/subiquity@7db7065 · GitHub
Patch;Third Party Advisory
https://aliceandbob.company/the-human-factor-in-an-economy-of-scale/

The human factor in an economy of scale | Alice&Bob.Company

Jump to