KubeVirt Path Traversal Vulnerability in virt-exportserver Component Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the virt-exportserver component of KubeVirt. This issue allows an attacker with specific namespace-level access to exploit the VMExport directory endpoint. By placing a symbolic link within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This vulnerability leads to information disclosure, potentially exposing sensitive data. The issue affects PVCs that do not have the appropriate KubeVirt content type annotation, with namespaces containing mixed workloads being more susceptible.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from the exporter pod's filesystem, potentially leading to unauthorized information disclosure.

Reproduction

To reproduce this vulnerability, an attacker must have namespace-level access to create or control the contents of a filesystem PVC. The attacker can then place a symbolic link in the PVC that points outside its mount root. After creating a VirtualMachineExport resource for the PVC and obtaining the VMExport token, the attacker can access the VMExport directory endpoint, which will follow the symlink and expose the targeted files from the exporter pod's filesystem.