Vulnerability Details : CVE-2021-20319
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.
Products affected by CVE-2021-20319
- cpe:2.3:a:redhat:coreos-installer:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20319
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20319
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2021-20319
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-20319
-
https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593
coreos-installer < 0.10.1 improperly verifies GPG signature when decompressing gzipped artifact · Advisory · coreos/coreos-installer · GitHubThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2011862
2011862 – (CVE-2021-20319) CVE-2021-20319 coreos-installer: incorrect signature verification on gzip-compressed install imagesIssue Tracking;Vendor Advisory
-
https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89
[release-0.10] io: check for EOF when decoding a gzip stream (CVE-2021-20319) by bgilbert · Pull Request #659 · coreos/coreos-installer · GitHubPatch;Third Party Advisory
Jump to