GHSA-862g-9h5m-m3qv

Suggest an improvement
Source
https://github.com/advisories/GHSA-862g-9h5m-m3qv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-862g-9h5m-m3qv/GHSA-862g-9h5m-m3qv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-862g-9h5m-m3qv
Aliases
Published
2021-11-08T18:01:13Z
Modified
2023-11-08T04:06:32.214668Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
coreos-installer < 0.10.0 writes world-readable Ignition config to installed system
Details

Impact

On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to /boot/ignition/config.ign with world-readable permissions, granting unprivileged users access to any secrets included in the config.

Default configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the ignition.config.url kernel argument, do not use the config.ign file and are unaffected.

Patches

coreos-installer 0.10.0 and later writes the Ignition config with restricted permissions.

Workarounds

On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the /boot/ignition directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the /boot/ignition directory and no action is required.

On other systems, /boot/ignition/config.ign can be removed manually, as it is not used after provisioning is complete:

sudo mount -o remount,rw /boot
sudo rm -rf /boot/ignition

References

For more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889.

For more information

If you have any questions or comments about this advisory, open an issue in coreos-installer or email the CoreOS development mailing list.

Database specific
{
    "nvd_published_at": "2022-08-23T20:15:00Z",
    "cwe_ids": [
        "CWE-276"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-04T17:11:09Z"
}
References

Affected packages

crates.io / coreos-installer

Package

Name
coreos-installer
View open source insights on deps.dev
Purl
pkg:cargo/coreos-installer

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.0