CVE-2021-20319
HIGHcoreos-installer < 0.10.1 - Improper Verification of Cryptographic Signature via Crafted Gzip Image
Title source: llmDescription
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.
References (3)
Core 3
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2011862
Third Party Advisory x_refsource_misc
https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593
Patch, Third Party Advisory x_refsource_misc
https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89
Scores
CVSS v3
7.8
EPSS
0.0010
EPSS Percentile
27.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (2)
crates.io/coreos-installer
0 - 0.10.1crates.io
redhat/coreos-installer
< 0.10.1
Published
Mar 04, 2022
Tracked Since
Feb 18, 2026