CVE-2021-3917

MEDIUM

coreos-installer < 0.10.0 - Incorrect Default Permissions in Ignition Config

Title source: llm

Description

A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality.

References (4)

Core 4

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://github.com/coreos/fedora-coreos-tracker/issues/889

Patch, Third Party Advisory x_refsource_misc

https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c

View Patch ZIP pw:eip

Issue Tracking, Vendor Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=2018478

Patch, Vendor Advisory x_refsource_misc

https://access.redhat.com/security/cve/CVE-2021-3917

Scores

CVSS v3 5.5

EPSS 0.0011

EPSS Percentile 28.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-276

Status published

Products (2)

crates.io/coreos-installer 0 - 0.10.0crates.io

redhat/coreos-installer < 0.10.0

Published Aug 23, 2022

Tracked Since Feb 18, 2026