Merge pull request #2233 from RedHatProductSecurity/CVE-2019-10175

CVE-2019-10175
2025-06-10 02:04:31 +00:00 · 2019-06-28 15:56:37 -04:00 · 2019-06-28 15:56:37 -04:00 · 07d0cd97ff
commit 07d0cd97ff
parent 6e155503ff b5e607b736
1 changed files with 65 additions and 4 deletions
--- a/2019/10xxx/CVE-2019-10175.json
+++ b/2019/10xxx/CVE-2019-10175.json
@ -4,15 +4,76 @@
    "data_version": "4.0",
    "CVE_data_meta": {
        "ID": "CVE-2019-10175",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "ASSIGNER": "mrehak@redhat.com"
+    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "vendor_name": "KubeVirt",
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "containerized-data-importer",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "virt-cdi-cloner 1.4"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    }
+                }
+            ]
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-284"
+                    }
+                ]
+            },
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-200"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10175",
+                "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10175",
+                "refsource": "CONFIRM"
+            }
+        ]
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "A flaw was found in the containerized-data-importer in virt-cdi-cloner, version 1.4, where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data."
            }
        ]
+    },
+    "impact": {
+        "cvss": [
+            [
+                {
+                    "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+                    "version": "3.0"
+                }
+            ]
+        ]
    }
-}
+}