GMS-2022-4130: KubeVirt vulnerable to arbitrary file read on host

September 15, 2022 (updated April 11, 2023)

As part of a Kubevirt audit performed by NCC group, a finding dealing with systemic lack of path sanitization which leads to a path traversal was identified. Google tested the exploitability of the paths in the audit report and identified that when combined with another vulnerability one of the paths leads to an arbitrary file read on the host from the VM. The read operations are limited to files which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

References

github.com/advisories/GHSA-qv98-3369-g364
github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm
github.com/kubevirt/kubevirt/pull/8198
github.com/kubevirt/kubevirt/pull/8268
github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364

Code Behaviors & Features

Detect and mitigate GMS-2022-4130 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →