Impact: Moderate Public Date: 2019-02-26 CWE: CWE-295 Bugzilla: 1677117: CVE-2019-3841 kubevirt/virt-cdi-importer: improper TLS certificate validation Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries. This could enable man-in-the-middle attacks between a container registry and the virt-cdi-component, leading to possible undetected tampering of trusted container image content.
Find out more about CVE-2019-3841 from the MITRE CVE dictionary dictionary and NIST NVD.
No public release of Red Hat Container Native Virtualization is affected by this flaw.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
The vulnerability can only be triggered by an authenticated kubernetes user who is authorized to create PVCs. To mitigate, do not create PVCs with the "cdi.kubevirt.io/storage.import.source: "registry"" annotation and do not create DataVolumes that use the "registry" source.
Vulmon