CVE-2025-15480

Description

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Unchanged

Affected products

Canonical / Ubuntu0 – 24.04.4
Canonical / Ubuntu0 – 25.10
Canonical / Ubuntu0 – 25.04

References

PATCHhttps://github.com/canonical/ubuntu-desktop-provision/pull/1400
PATCHhttps://github.com/canonical/ubuntu-desktop-provision/pull/1399