Xlejo

**Name of the Vulnerable Software and Affected Versions** coreos-installer versions prior to 0.10.0 **Description** A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data, posing a threat to confidentiality. On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to `/boot/ignition/config.ign` with world-readable permissions, granting unprivileged users access to any secrets included in the config. **Recommendations** For coreos-installer versions prior to 0.10.0, update to coreos-installer 0.10.0 or later, which writes the Ignition config with restricted permissions. On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, no action is required as the `/boot/ignition` directory and its contents are removed after provisioning is complete. On other systems, manually remove `/boot/ignition/config.ign` by running the commands: sudo mount -o remount,rw /boot sudo rm -rf /boot/ignition As a temporary workaround, consider restricting access to the `/boot/ignition/config.ign` file until a patch is available.