Описание
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.
Ссылки
- Patch
- Patch
- Patch
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.5.3 (исключая)
Одно из
cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*
cpe:2.3:a:kubevirt:kubevirt:1.6.0:*:*:*:*:kubernetes:*:*
EPSS
Процентиль: 2%
0.00014
Низкий
4.7 Medium
CVSS3
6.3 Medium
CVSS3
Дефекты
CWE-287
Связанные уязвимости
CVSS3: 4.7
msrc
14 дней назад
KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing
CVSS3: 4.7
github
около 1 месяца назад
KubeVirt's Improper TLS Certificate Management Handling Allows API Identity Spoofing
EPSS
Процентиль: 2%
0.00014
Низкий
4.7 Medium
CVSS3
6.3 Medium
CVSS3
Дефекты
CWE-287