CVE-2025-15480
Senstive information disclosure was affecting ubuntu-desktop-provision
In short
Ubuntu's desktop setup tool could accidentally include user password hashes in crash logs sent to bug reports. This means your password information might be exposed if the installation fails and you report the problem.
Technical detail
Ubuntu-desktop-provision 24.04.4 suffers from sensitive information disclosure (CWE-1258) where user password hashes are inadvertently included in crash logs submitted to Launchpad during installation failures. The vulnerability requires user interaction (bug report submission) and affects the confidentiality of authentication credentials that could be used for offline attacks.
Summary generated and translated by AI from the official description.
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U
Affected products
Canonical · UbuntuWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →