PT-2019-11605 · Unknown · Virt-Cdi-Cloner

Published

2019-06-28

Updated

2020-10-01

CVE-2019-10175

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: virt-cdi-cloner version 1.4

Description: A flaw in the containerized-data-importer of virt-cdi-cloner allows users to clone any Persistent Volume Claim (PVC) in the cluster into their own namespace, effectively granting access to other users' data. This occurs because the host-assisted cloning feature does not verify whether the requesting user has permission to access the PVC in the source namespace.

Recommendations: For virt-cdi-cloner version 1.4, consider restricting access to the host-assisted cloning feature until a patch is available to ensure that users can only clone PVCs they have permission to access.

Fix

Missing Authorization

Improper Access Control

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-284CWE-200

Related Identifiers

CVE-2019-10175

Affected Products

Virt-Cdi-Cloner

PT-2019-11605 · Unknown · Virt-Cdi-Cloner

CVE-2019-10175

Weakness Enumeration

Related Identifiers

Affected Products

References · 3