CVE-2022-1798 — Improper Input Validation in LLC Kubevirt

CWE-20 — Improper Input Validation CWE-22 — Path Traversal5 documents5 sources

Severity

6.5MEDIUMNVD

CNA8.7

EPSS

0.1%

top 67.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google LLC Kubevirt Kubevirt.io Kubevirt Kubevirt

Timeline

PublishedSep 15

Description

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

▶NVDkubevirt/kubevirt0.20.0 — 0.55.1

▶CVEListV5google_llc/kubevirtunspecified — 0.55.1+1

▶Gokubevirt.io/kubevirt0.20.0 — 0.55.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Path Traversal vulnerability in Kubevirt↗2022-09-15

▶

GHSA

Duplicate Advisory: KubeVirt arbitrary host file read from the VM↗2022-08-18

▶

📋Vendor Advisories

Microsoft

Path Traversal vulnerability in Kubevirt↗2022-09-13

▶

Red Hat

kubeVirt: Arbitrary file read on the host from KubeVirt VMs↗2022-08-08

▶