CVE-2021-20319

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-20319

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20319.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-20319

Aliases

GHSA-3r3g-g73x-g593

Downstream

RHSA-2021:3926

RHSA-2021:3930

RHSA-2021:3934

RHSA-2021:4008

Related

GHSA-3r3g-g73x-g593

Published

2022-03-04T18:15:08Z

Modified

2025-10-21T05:55:17.041394Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.

References

Affected packages

Git / github.com/coreos/coreos-installer

Affected ranges

Type: GIT
Repo: https://github.com/coreos/coreos-installer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

34474058438d493c9b91bf49d80f47356031771e

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.10.0

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.7.1

v0.7.2

v0.8.0

v0.9.0

v0.9.1