CVE-2021-20319

Published: Mar 4, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.

Affected (1)

Products: Redhat: Coreos Installer

1 product

Coreos Installer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Coreos Installer	Before 0.10.1

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://bugzilla.redhat.com/show_bug.cgi?id=2011862

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89

Source: secalert@redhat.com

PatchThird Party Advisory

https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2011862

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.