Lucene search

[email protected]CVE-2022-1798

HistorySep 15, 2022 - 4:15 p.m.

CVE-2022-1798

2022-09-1516:15:10

CWE-20

CWE-22

[email protected]

web.nvd.nist.gov

1919

cve-2022-1798

kubevirt

path traversal

vulnerability

nvd

security

filesystem

uid

gid

8.7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.7%

JSON

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

Affected configurations

Vulners

NVD

Node

googlegoogle_appsRange≤0.55.1

googlegoogle_appsRange≤0.56.0

VendorProductVersionCPE
googlegoogle_apps*cpe:2.3:a:google:google_apps:*:*:*:*:*:*:*:*
googlegoogle_apps*cpe:2.3:a:google:google_apps:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	google_apps	*	cpe:2.3:a:google:google_apps::::::::
google	google_apps	*	cpe:2.3:a:google:google_apps::::::::

CNA Affected

[
  {
    "platforms": [
      "all"
    ],
    "product": "Kubevirt",
    "vendor": "Google LLC",
    "versions": [
      {
        "lessThan": "0.55.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "0.56.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]