Kubevirt
CVE-2020-14316
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
AnalysisAI
A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Affected products include: Kubevirt, Redhat Openshift Virtualization.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re
Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick t
KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for an
Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubev
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today