CVE-2019-3841

Name of the Vulnerable Software and Affected Versions Kubevirt/virt-cdi-importer versions 1.4.0 through 1.5.3

Description The issue is related to incorrect authentication of a certificate in the data import service of Kubevirt, which could allow a remote attacker to perform a man-in-the-middle attack. This attack could occur between a container registry and the virt-cdi-component, potentially leading to undetected tampering of trusted container image content.

Recommendations For versions 1.4.0 through 1.5.3, consider disabling the TLS certificate validation disabling feature in the virt-cdi-importer until a patch is available, or restrict access to the container registries to minimize the risk of exploitation.