Vulnerability Description
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Coreos-Installer | < 0.10.1 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2011862Issue TrackingVendor Advisory
- https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2daPatchThird Party Advisory
- https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g5Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2011862Issue TrackingVendor Advisory
- https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2daPatchThird Party Advisory
- https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g5Third Party Advisory
FAQ
What is CVE-2021-20319?
CVE-2021-20319 is a vulnerability with a CVSS score of 7.8 (HIGH). An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to...
How severe is CVE-2021-20319?
CVE-2021-20319 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20319?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Coreos-Installer.