CNNVD-202511-749 Information
CNNVD ID
CNNVD-202511-749
Related CVE
- CNNVD Published: 2025-11-07
Description (Chinese)
Kubevirt是KubeVirt开源的一款虚拟机管理器。 KubeVirt 1.5.3之前版本和1.6.1之前版本存在后置链接漏洞,该漏洞源于virt-handler未验证launcher-sock是否为符号链接或常规文件,可能导致主机节点上任意文件所有权被更改。
Description (English)
Kubevirt is a virtual machine manager for the KubeVirt open source. KubeVirt 1.5.3 and 1.6.1 had a backlink loophole, which originated from the failure of virt-handler to verify whether launcher-sock was a symbol link or a regular file, which could result in any change of ownership of the document on the host node.
Hazard Level
High
Vulnerability Type
后置链接
Affected Vendor
KubeVirt
Published
2025-11-07
Last Modified
2026-02-24
References
https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265 https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64437 https://vigilance.fr/vulnerability/KubeVirt-five-vulnerabilities-dated-09-12-2025-49023