27 matches found
CVE-2025-14459 affecting package kubevirt for versions less than 1.7.0-1
CVE-2025-14459 affecting package kubevirt for versions less than 1.7.0-1. An upgraded version of the package is available that resolves this issue...
CVE-2025-65637 affecting package kubevirt for versions less than 0.59.0-32
CVE-2025-65637 affecting package kubevirt for versions less than 0.59.0-32. A patched version of the package is available...
CVE-2025-64324 KubeVirt Vulnerable to Arbitrary Host File Read and Write
KubeVirt is a virtual machine management add-on for Kubernetes. The hostDisk feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the DiskOrCreate...
CVE-2025-64436
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could...
AZL-69961 CVE-2025-64434 affecting package kubevirt for versions less than 0.59.0-33
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler via verifyPeerCert, an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileg...
CVE-2025-64433 KubeVirt Arbitrary Container File Read
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM...
CVE-2025-64433 KubeVirt Arbitrary Container File Read
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM...
CVE-2025-64437 KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node ...
CVE-2025-64436
KubeVirt CVE-2025-64436 affects the virt-handler service account in KubeVirt up to version 1.5.0, where overprivileged permissions (e.g., updating VMI, patching nodes) could be abused to migrate a VMI to an attacker-controlled node or mark all nodes as unschedulable, potentially forcing privilege...
Incorrect Permission Assignment for Critical Resource
Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the virt-api component failing to validate the CN field in client TLS certificates against allowed values in the extension-apiserver-authentication configmap. An attacker can...
EUVD-2023-0987
Malicious code in bioql PyPI...
EUVD-2022-6544
Malicious code in bioql PyPI...
EUVD-2024-1148
Malicious code in bioql PyPI...
CVE-2024-33394
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component...
AZL-77520 CVE-2025-30204 affecting package kubevirt for versions less than 0.59.0-38
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...
CVE-2025-22869 affecting package kubevirt for versions less than 1.2.0-14
CVE-2025-22869 affecting package kubevirt for versions less than 1.2.0-14. A patched version of the package is available...
Azure Linux 3.0 Security Update: kubevirt (CVE-2023-26484)
The version of kubevirt installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-26484 advisory. - KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicio...
AZL-54443 CVE-2024-45338 affecting package kubevirt for versions less than 1.2.0-12
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service...
CVE-2024-33394
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component...
AZL-64791 CVE-2024-33394 affecting package kubevirt for versions less than 1.5.0-2
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component...