Vulnerability-Lookup

CVE-2021-20319 (GCVE-0-2021-20319)

Vulnerability from cvelistv5 – Published: 2022-03-04 17:05 – Updated: 2024-08-03 17:37

Summary

An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.

Severity ?

No CVSS data available.

CWE

CWE-347 - - Improper Verification of Cryptographic Signature

Assigner

redhat

References

URL

	Vendor	Product	Version
	n/a	coreos-installer	Affected: Affects coreos-installer before v0.10.1, Fixed in v0.10.1.

FKIE_CVE-2021-20319

Vulnerability from fkie_nvd - Published: 2022-03-04 18:15 - Updated: 2024-11-21 05:46

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2011862	Issue Tracking, Vendor Advisory
secalert@redhat.com	https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89	Patch, Third Party Advisory
secalert@redhat.com	https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=2011862	Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593	Third Party Advisory

Impacted products

	Vendor	Product	Version
	redhat	coreos-installer	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:coreos-installer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC97AE96-45A5-41F7-8300-FA9957F83E6A",
              "versionEndExcluding": "0.10.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado una vulnerabilidad de verificaci\u00f3n de firma inapropiada en coreos-installer. Una imagen de instalaci\u00f3n gzip especialmente dise\u00f1ada puede omitir la verificaci\u00f3n de la firma de la imagen y, como consecuencia, puede conllevar a una instalaci\u00f3n de contenido no firmado. Un atacante capaz de modificar la imagen de instalaci\u00f3n original puede escribir datos arbitrarios y conseguir acceso completo al nodo que se est\u00e1 instalando"
    }
  ],
  "id": "CVE-2021-20319",
  "lastModified": "2024-11-21T05:46:22.183",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-04T18:15:08.060",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-20319

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-20319

Aliases

CVE-2021-20319

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-20319",
    "description": "An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.",
    "id": "GSD-2021-20319",
    "references": [
      "https://access.redhat.com/errata/RHSA-2021:4008",
      "https://access.redhat.com/errata/RHSA-2021:3934",
      "https://access.redhat.com/errata/RHSA-2021:3930",
      "https://access.redhat.com/errata/RHSA-2021:3926"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-20319"
      ],
      "details": "An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.",
      "id": "GSD-2021-20319",
      "modified": "2023-12-13T01:23:12.719522Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2021-20319",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "coreos-installer",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Affects coreos-installer before v0.10.1, Fixed in v0.10.1."
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-347 - Improper Verification of Cryptographic Signature"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
          },
          {
            "name": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593",
            "refsource": "MISC",
            "url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593"
          },
          {
            "name": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89",
            "refsource": "MISC",
            "url": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:coreos-installer:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.10.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-20319"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-347"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593"
            },
            {
              "name": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-03-11T15:37Z",
      "publishedDate": "2022-03-04T18:15Z"
    }
  }
}

cve-2021-20319

Vulnerability from osv_rustsec

Published

2022-03-04 12:00

Modified

2025-12-21 13:45

Summary

Incorrect signature verification on gzip-compressed install images

Details

The coreos-installer is a program to fetch a disk image and stream it to a target disk.

During the installation process the installation image gpg signatures are verified.

The signature verification can be bypassed for gzip-compressed images due to a flaw in gzip coreos-installer wrapper.

When the decoder encounters the gzip trailer, it signals EOF to its output and does not continue reading from its input. As a result, earlier wrappers don't notice that they've reached EOF.

In particular, the GPG wrapper does not check the exit code of GPG.

Thus, if an attacker can substitute an attacker-controlled gzipped disk image, installation will complete successfully without a valid signature.

This vulnerability impacts only specific, User-Provisioned Infrastructure (UPI) installation methods where coreos-installer is used and where gzip-compressed images are configured as the installation source.

The Installer-Provisioned Infrastructure (IPI) bare-metal installs do use coreos-installer, but this installation method uses an install image embedded in the live OS image (ISO or PXE image), therefore is not affected by this vulnerability.

This vulnerability is specific to some upstream Fedora CoreOS installation flows.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "privilege-escalation"
        ],
        "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "coreos-installer",
        "purl": "pkg:cargo/coreos-installer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2021-20319",
    "GHSA-3r3g-g73x-g593"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The coreos-installer is a program to fetch a disk image and\nstream it to a target disk.\n\nDuring the installation process the installation image gpg\nsignatures are verified.\n\nThe signature verification can be bypassed for gzip-compressed\nimages due to a flaw in gzip coreos-installer wrapper.\n\nWhen the decoder encounters the gzip trailer, it signals EOF\nto its output and does not continue reading from its input.\nAs a result, earlier wrappers don\u0027t notice that they\u0027ve reached\nEOF.\n\nIn particular, the GPG wrapper does not check the exit code of GPG.\n\nThus, if an attacker can substitute an attacker-controlled\ngzipped disk image, installation will complete successfully\nwithout a valid signature.\n\nThis vulnerability impacts only specific, User-Provisioned\nInfrastructure (UPI) installation methods where coreos-installer\nis used and where gzip-compressed images are configured as\nthe installation source.\n\nThe Installer-Provisioned Infrastructure (IPI) bare-metal\ninstalls do use coreos-installer, but this installation\nmethod uses an install image embedded in the live OS image\n(ISO or PXE image), therefore is not affected by this\nvulnerability.\n\nThis vulnerability is specific to some upstream Fedora\nCoreOS installation flows.",
  "id": "RUSTSEC-2022-0103",
  "modified": "2025-12-21T13:45:28Z",
  "published": "2022-03-04T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/coreos-installer"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0103.html"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20319"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect signature verification on gzip-compressed install images"
}

GHSA-3R3G-G73X-G593

Vulnerability from github – Published: 2021-10-12 16:06 – Updated: 2025-12-22 16:27

Summary

coreos-installer improperly verifies GPG signature when decompressing gzipped artifact

Details

Impact

coreos-installer fails to correctly verify GPG signatures when decompressing gzip-compressed artifacts. This allows bypass of signature verification in cases where coreos-installer decompresses a downloaded OS image, allowing an attacker who can modify the OS image to compromise a newly-installed system.

Default installations from ISO or PXE media in Fedora CoreOS, RHEL CoreOS, and RHEL for Edge are not affected, as coreos-installer installs from an OS image shipped as part of the install media.

These flows are affected:

Installing with --image-file, --image-url, or coreos.inst.image_url. For example, if a user has a local mirror of installation images, an attacker could replace an image with a gzip-compressed alternative (even if the file extension is .xz). The result:

``` $ coreos-installer install --image-url http://localhost:8080/image.xz /dev/loop0 Downloading image from http://localhost:8080/image.xz Downloading signature from http://localhost:8080/image.xz.sig

Read disk 749.9 MiB/749.9 MiB (100%) gpg: Signature made Mon 20 Sep 2021 02:41:50 PM EDT gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpg: BAD signature from "Fedora (34) fedora-34-primary@fedoraproject.org" [ultimate] Install complete. ```

Notice that GPG reports a bad signature, but coreos-installer continues anyway. Automation that relies on coreos-installer's exit status will not notice either.
coreos-installer download --decompress --image-url:

``` $ coreos-installer download --decompress --image-url http://localhost:8080/image.xz

Read disk 749.9 MiB/749.9 MiB (100%) gpg: Signature made Mon 20 Sep 2021 02:41:50 PM EDT gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpg: BAD signature from "Fedora (34) fedora-34-primary@fedoraproject.org" [ultimate] ./image ```

Again, coreos-installer reports success.
Installing with default parameters, when not installing from the image built into live ISO or PXE media, if the hosting service is compromised or if an active attacker gains control of the HTTPS response.
coreos-installer download --decompress if the hosting service is compromised or if an active attacker gains control of the HTTPS response.

Patches

The vulnerability is fixed in coreos-installer 0.10.1.

Workarounds

For coreos-installer download, do not use the -d or --decompress options.

For coreos-installer install, manually inspect the stderr output. If BAD signature appears, do not boot from the target disk. Note, however, that some OS services may have already accessed data on the compromised disk.

References

For more information, see PR 655.

For more information

If you have any questions or comments about this advisory, open an issue in coreos-installer or email the CoreOS development mailing list.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "coreos-installer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-11T21:17:04Z",
    "nvd_published_at": "2022-03-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\ncoreos-installer fails to correctly verify GPG signatures when decompressing gzip-compressed artifacts.  This allows bypass of signature verification in cases where coreos-installer decompresses a downloaded OS image, allowing an attacker who can modify the OS image to compromise a newly-installed system.\n\nDefault installations from ISO or PXE media in Fedora CoreOS, RHEL CoreOS, and RHEL for Edge are **not** affected, as coreos-installer installs from an OS image shipped as part of the install media.\n\nThese flows are affected:\n\n1.  Installing with `--image-file`, `--image-url`, or `coreos.inst.image_url`.  For example, if a user has a local mirror of installation images, an attacker could replace an image with a gzip-compressed alternative (even if the file extension is `.xz`).  The result:\n\n    ```\n    $ coreos-installer install --image-url http://localhost:8080/image.xz /dev/loop0\n    Downloading image from http://localhost:8080/image.xz\n    Downloading signature from http://localhost:8080/image.xz.sig\n    \u003e Read disk 749.9 MiB/749.9 MiB (100%)\n    gpg: Signature made Mon 20 Sep 2021 02:41:50 PM EDT\n    gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39\n    gpg: BAD signature from \"Fedora (34) \u003cfedora-34-primary@fedoraproject.org\u003e\" [ultimate]\n    Install complete.\n    ```\n\n    Notice that GPG reports a bad signature, but coreos-installer continues anyway.  Automation that relies on coreos-installer\u0027s exit status will not notice either.\n\n2. `coreos-installer download --decompress --image-url`:\n\n    ```\n    $ coreos-installer download --decompress --image-url http://localhost:8080/image.xz\n    \u003e Read disk 749.9 MiB/749.9 MiB (100%)\n    gpg: Signature made Mon 20 Sep 2021 02:41:50 PM EDT\n    gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39\n    gpg: BAD signature from \"Fedora (34) \u003cfedora-34-primary@fedoraproject.org\u003e\" [ultimate]\n    ./image\n    ```\n\n    Again, coreos-installer reports success.\n\n3. Installing with default parameters, when **not** installing from the image built into live ISO or PXE media, if the hosting service is compromised or if an active attacker gains control of the HTTPS response.\n\n4. `coreos-installer download --decompress` if the hosting service is compromised or if an active attacker gains control of the HTTPS response.\n\n### Patches\n\nThe vulnerability is [fixed](https://github.com/coreos/coreos-installer/pull/659) in coreos-installer 0.10.1.\n\n### Workarounds\n\nFor `coreos-installer download`, do not use the `-d` or `--decompress` options.\n\nFor `coreos-installer install`, manually inspect the stderr output.  If `BAD signature` appears, do not boot from the target disk.  Note, however, that some OS services may have already accessed data on the compromised disk.\n\n### References\n\nFor more information, see [PR 655](https://github.com/coreos/coreos-installer/pull/655).\n\n### For more information\n\nIf you have any questions or comments about this advisory, [open an issue in coreos-installer](https://github.com/coreos/coreos-installer/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).",
  "id": "GHSA-3r3g-g73x-g593",
  "modified": "2025-12-22T16:27:06Z",
  "published": "2021-10-12T16:06:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g73x-g593"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer/pull/655"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coreos/coreos-installer"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0103.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "coreos-installer improperly verifies GPG signature when decompressing gzipped artifact"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-20319 (GCVE-0-2021-20319)

FKIE_CVE-2021-20319

GSD-2021-20319

cve-2021-20319

Vulnerability from osv_rustsec

GHSA-3R3G-G73X-G593

Impact

Patches

Workarounds

References

For more information

Tags

Sightings

Nomenclature