ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ubuntu-image | Canonical | 1.0-2017-07-06 (including) | 1.0-2017-07-06 (including) |
| Ubuntu-image | Ubuntu | devel | * |
| Ubuntu-image | Ubuntu | esm-infra/xenial | * |
| Ubuntu-image | Ubuntu | upstream | * |
| Ubuntu-image | Ubuntu | xenial | * |
| Ubuntu-image | Ubuntu | yakkety | * |
| Ubuntu-image | Ubuntu | zesty | * |
Such a scenario is commonly observed when: