{"id":"CVE-2018-10896","details":"The default cloud-init configuration, in cloud-init 0.6.2 and newer, included \"ssh_deletekeys: 0\", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.","modified":"2026-03-15T22:17:20.074828Z","published":"2018-08-01T17:29:00.393Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1574338"},{"type":"FIX","url":"https://bugs.launchpad.net/cloud-init/+bug/1781094"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10896"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/canonical/cloud-init","events":[{"introduced":"2a84a2603f22e5362c8a6620bea51df220245d9f"},{"fixed":"e28000457591bde9f22d6b7a538b1fc33349d780"}],"database_specific":{"versions":[{"introduced":"0.6.2"},{"fixed":"18.4"}]}}],"versions":["0.6.2","0.6.3","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.7.9","17.1","17.2","18.1","18.2","18.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10896.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}