CVE-2024-6174

Publication date 26 June 2025

Last updated 26 June 2025

Ubuntu priority

Cvss 3 Severity Score

When a non-x86 platform is detected, cloud-init grants root access to a hard coded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cloud-init	25.04 plucky	Vulnerable
	24.10 oracular	Vulnerable
	24.04 LTS noble	Vulnerable
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	8.8 · High
Attack vector	Adjacent
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-6174
https://github.com/canonical/cloud-init/releases/tag/25.1.3