← Retour aux CVEs
CVE-2019-10175
MEDIUM6.5
Description
A flaw was found in the containerized-data-importer in virt-cdi-cloner, version 1.4, where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data.
Details CVE
Score CVSS v3.16.5
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie6/28/2019
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
kubevirt:containerized-data-importer
Faiblesses (CWE)
CWE-200CWE-284CWE-862
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10175(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10175(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.