Vulnerability CVE-2021-20319


Published: 2022-03-04

Description:
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.

Type:

CWE-347

(Improper Verification of Cryptographic Signature)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Redhat -> Coreos-installer 

 References:
https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593
https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89
https://bugzilla.redhat.com/show_bug.cgi?id=2011862

Copyright 2022, cxsecurity.com

 

Back to Top