CVE-2025-64437
中文标题:
(暂无数据)
英文标题:
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
漏洞描述
中文描述:
(暂无数据)
英文描述:
KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| kubevirt | kubevirt | < 1.5.3 | - | - |
cpe:2.3:a:kubevirt:kubevirt:<_1.5.3:*:*:*:*:*:*:*
|
| kubevirt | kubevirt | >= 1.6.0-alpha.0, < 1.6.1 | - | - |
cpe:2.3:a:kubevirt:kubevirt:>=_1.6.0-alpha.0,_<_1.6.1:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
cve.org
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-64437 |
2025-11-11 15:23:34 | 2025-11-11 07:40:50 |
| NVD | nvd_CVE-2025-64437 |
2025-11-11 15:01:08 | 2025-11-11 07:48:36 |
版本与语言
安全公告
变更历史
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']