CVE-2019-10175

Name of the Vulnerable Software and Affected Versions: virt-cdi-cloner version 1.4

Description: A flaw in the containerized-data-importer of virt-cdi-cloner allows users to clone any Persistent Volume Claim (PVC) in the cluster into their own namespace, effectively granting access to other users' data. This occurs because the host-assisted cloning feature does not verify whether the requesting user has permission to access the PVC in the source namespace.

Recommendations: For virt-cdi-cloner version 1.4, consider restricting access to the host-assisted cloning feature until a patch is available to ensure that users can only clone PVCs they have permission to access.