N/A

Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries. This could enable man-in-the-middle attacks between a container registry and the virt-cdi-component, leading to possible undetected tampering of trusted container image content.

N/A

证书验证不恰当

kubevirt containerized data importer 安全漏洞

kubevirt containerized data importer是一款针对Kubernetes的数据导入器。 kubevirt containerized data importer 1.4.0版本至1.5.3版本中存在安全漏洞，该漏洞源于程序关闭了TLS证书验证功能。攻击者可利用该漏洞进行篡改操作。

N/A

N/A