VYPR
← All advisories
High severityNVD Advisory· Published Mar 4, 2022· Updated Aug 3, 2024

CVE-2021-20319

CVE-2021-20319

Description

An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

coreos-installer versions before 0.10.1 fail to verify GPG signatures on gzip-compressed images, allowing unsigned content installation and full node compromise.

Vulnerability

An improper signature verification vulnerability exists in coreos-installer versions prior to 0.10.1 [1][3]. When decompressing a gzip-compressed installation image, the GzDecoder does not read EOF from the underlying source, causing the GpgReader to not check the exit status of GPG [4]. This allows a specially crafted gzip image to bypass GPG signature verification. The issue affects flows using --image-file, --image-url, coreos.inst.image_url, or coreos-installer download --decompress --image-url [3][4]. Default installations from ISO or PXE media are not affected as they use trusted images from the installation media [3][4].

Exploitation

An attacker must have network access to modify or replace the installation image before it is downloaded by the target system [1]. No authentication is required. The attacker replaces a legitimate image with a gzip-compressed alternative (even if the file extension is .xz) [3][4]. The victim fetches the image via --image-url or similar option, and coreos-installer downloads the image, decompresses it, and checks the signature. GPG reports a bad signature, but because coreos-installer does not verify the GPG exit status, the installation proceeds anyway [3][4]. User interaction is required (e.g., running the installer command with the malicious URL).

Impact

Successful exploitation causes installation of unsigned, attacker-controlled content to the target node [1]. The attacker can write arbitrary data to the disk, achieving full access (confidentiality, integrity, availability impact) on the newly installed system [1][3]. The compromise occurs at the OS installation stage, giving the attacker elevated privileges equivalent to root on the installed node [2].

Mitigation

The vulnerability is fixed in coreos-installer version 0.10.1 [2][3]. Users should upgrade to the latest release. Affected flows require manual download or installation from untrusted sources; using live ISO or PXE default install paths avoids the issue [3][4]. No workaround is available if the patched version cannot be deployed. The vulnerability is listed in the RustSec advisory database as RUSTSEC-2022-0103 [2].

References
  1. NVD - CVE-2021-20319
  2. Incorrect signature verification on gzip-compressed install images › RustSec Advisory Database
  3. coreos-installer < 0.10.1 improperly verifies GPG signature when decompressing gzipped artifact
  4. Fix GPG signature check when decompressing gzipped source (CVE-2021-20319) by bgilbert · Pull Request #655 · coreos/coreos-installer

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
coreos-installercrates.io
< 0.10.10.10.1

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.