CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3917 – coreos-installer: restrict access permissions on /boot/ignition{,/config.ign}
https://notcve.org/view.php?id=CVE-2021-3917
A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en coreos-installer, que escribe la configuración de Ignition en el sistema de destino con permisos de acceso de lectura general. Este fallo permite a un atacante local tener acceso de lectura a datos potencialmente confidenciales. • https://access.redhat.com/security/cve/CVE-2021-3917 https://bugzilla.redhat.com/show_bug.cgi?id=2018478 https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c https://github.com/coreos/fedora-coreos-tracker/issues/889 • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20319 – coreos-installer: incorrect signature verification on gzip-compressed install images
https://notcve.org/view.php?id=CVE-2021-20319
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed. Se ha encontrado una vulnerabilidad de verificación de firma inapropiada en coreos-installer. Una imagen de instalación gzip especialmente diseñada puede omitir la verificación de la firma de la imagen y, como consecuencia, puede conllevar a una instalación de contenido no firmado. • https://bugzilla.redhat.com/show_bug.cgi?id=2011862 https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89 https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593 https://access.redhat.com/security/cve/CVE-2021-20319 • CWE-347: Improper Verification of Cryptographic Signature •