Description

An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.

Related CPE's

a

redhat

coreos-installer

Vulnerable

References

https://bugzilla.redhat.com/show_bug.cgi?id=2011862

Issue TrackingVendor Advisory

https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89

PatchThird Party Advisory

https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-347

[email protected]

Secondary
CWE-347

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-03-04T18:15:08.060

3 years ago

Last modified

2022-03-11T15:37:35.570

3 years ago