CVE-2021-3917
Description
A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data. The highest threat from this vulnerability is to confidentiality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
coreos-installer writes the Ignition config to the target system with world-readable permissions, allowing local attackers to access sensitive data.
Vulnerability
Overview
The vulnerability (CVE-2021-3917) exists in the coreos-installer tool, where the Ignition configuration file (/boot/ignition/config.ign) is written to the target system with world-readable access permissions (e.g., 0644 or similar). The issue was identified in the bug tracker and is described as a need to "restrict access permissions" on the files [1][3].
Exploitation
An attacker with local access to the system can read the Ignition config file. As the file is world-readable, no special privileges are required beyond basic shell access. The coreos-installer typically runs during initial provisioning, and the config file may contain sensitive information embedded during deployment [2][4].
Impact
The primary threat is to confidentiality. The Ignition configuration can contain credentials, tokens, certificates, or other sensitive data used to provision the system. A local attacker who can read this file could obtain secrets that might enable further compromise or lateral movement [2].
Mitigation
The vulnerability is addressed by restricting file permissions on /boot/ignition/config.ign to 0600 (owner read/write only) and optionally deleting the file after provisioning completes [4]. Red Hat has released updates for affected components as part of their errata [3]. Organizations should apply the latest patches for coreos-installer and ensure that Ignition configs do not persist with excessive permissions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coreos-installercrates.io | < 0.10.0 | 0.10.0 |
Affected products
2- coreos-installer/coreos-installerdescription
Patches
12a36405339c8install: restrict access permissions on /boot/ignition{,/config.ign}
1 file changed · +26 −3
src/install.rs+26 −3 modified@@ -16,9 +16,11 @@ use anyhow::{bail, Context, Result}; use lazy_static::lazy_static; use nix::mount; use regex::Regex; -use std::fs::{copy as fscopy, create_dir_all, read_dir, File, OpenOptions}; +use std::fs::{ + copy as fscopy, create_dir_all, read_dir, set_permissions, File, OpenOptions, Permissions, +}; use std::io::{copy, Read, Seek, SeekFrom, Write}; -use std::os::unix::fs::FileTypeExt; +use std::os::unix::fs::{FileTypeExt, PermissionsExt}; use std::path::{Path, PathBuf}; use crate::blockdev::*; @@ -248,7 +250,21 @@ fn write_ignition( // make parent directory let mut config_dest = mountpoint.to_path_buf(); config_dest.push("ignition"); - create_dir_all(&config_dest).context("creating Ignition config directory")?; + if !config_dest.is_dir() { + create_dir_all(&config_dest).with_context(|| { + format!( + "creating Ignition config directory {}", + config_dest.display() + ) + })?; + // Ignition data may contain secrets; restrict to root + set_permissions(&config_dest, Permissions::from_mode(0o700)).with_context(|| { + format!( + "setting file mode for Ignition directory {}", + config_dest.display() + ) + })?; + } // do the copy config_dest.push("config.ign"); @@ -262,6 +278,13 @@ fn write_ignition( config_dest.display() ) })?; + // Ignition config may contain secrets; restrict to root + set_permissions(&config_dest, Permissions::from_mode(0o600)).with_context(|| { + format!( + "setting file mode for destination Ignition config {}", + config_dest.display() + ) + })?; copy(&mut config_in, &mut config_out).context("writing Ignition config")?; Ok(())
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-862g-9h5m-m3qvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3917ghsaADVISORY
- access.redhat.com/security/cve/CVE-2021-3917ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0cghsax_refsource_MISCWEB
- github.com/coreos/coreos-installer/releases/tag/v0.10.0ghsaWEB
- github.com/coreos/coreos-installer/security/advisories/GHSA-862g-9h5m-m3qvghsaWEB
- github.com/coreos/fedora-coreos-tracker/issues/889ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.