Vulnerability Details : CVE-2021-3917
A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality.
Products affected by CVE-2021-3917
- cpe:2.3:a:redhat:coreos-installer:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3917
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 5 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3917
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-3917
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-3917
-
https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c
install: restrict access permissions on /boot/ignition{,/config.ign} · coreos/coreos-installer@2a36405 · GitHubPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2018478
2018478 – (CVE-2021-3917) CVE-2021-3917 coreos-installer: restrict access permissions on /boot/ignition{,/config.ign}Issue Tracking;Vendor Advisory
-
https://github.com/coreos/fedora-coreos-tracker/issues/889
Change `/boot/ignition/config.ign` permissions to 0600 and delete it after provisioning · Issue #889 · coreos/fedora-coreos-tracker · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2021-3917
CVE-2021-3917- Red Hat Customer PortalPatch;Vendor Advisory
Jump to