Описание
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.
Ссылки
- Issue TrackingVendor Advisory
- https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89PatchThird Party Advisory
- Third Party Advisory
- Issue TrackingVendor Advisory
- https://github.com/coreos/coreos-installer/pull/659/commits/ad243c6f0eff2835b2da56ca5f7f33af76253c89PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
EPSS
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
Связанные уязвимости
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.
coreos-installer improperly verifies GPG signature when decompressing gzipped artifact
EPSS
7.8 High
CVSS3
6.8 Medium
CVSS2