Home

Description

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.

PUBLISHED Reserved 2026-01-07 | Published 2026-04-09 | Updated 2026-04-10 | Assigner canonical




LOW: 2.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U

Problem types

CWE-1258 Exposure of sensitive system information due to uncleared debug information

Product status

Default status
unaffected

Any version
affected

Any version
affected

Any version
affected

References

github.com/canonical/ubuntu-desktop-provision/pull/1400 (feat: don't log identity data (noble backport)) patch issue-tracking

github.com/canonical/ubuntu-desktop-provision/pull/1399 (feat: don't log identity data) patch issue-tracking

cve.org (CVE-2025-15480)

nvd.nist.gov (CVE-2025-15480)

Download JSON