CVE Vulnerabilities

CVE-2024-6174

Improper Authentication

Published: Jun 26, 2025 | Modified: Jun 26, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.8 IMPORTANT
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
root.io minimus.io echohq.com

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Cloud-init Ubuntu devel *
Cloud-init Ubuntu esm-infra/bionic *
Cloud-init Ubuntu esm-infra/focal *
Cloud-init Ubuntu esm-infra/xenial *
Cloud-init Ubuntu focal *
Cloud-init Ubuntu jammy *
Cloud-init Ubuntu mantic *
Cloud-init Ubuntu noble *
Cloud-init Ubuntu oracular *
Cloud-init Ubuntu plucky *
Cloud-init Ubuntu upstream *

Potential Mitigations

References