x/vulndb: potential Go vuln in github.com/kubevirt/kubevirt: CVE-2022-1798

[GoVulnBot]

CVE-2022-1798 references github.com/kubevirt/kubevirt, which may be a Go module.

Description:
A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-1798
• JSON: https://github.com/CVEProject/cvelist/tree/e35f1df99cb2c9bbd3092471fbdb45ddb2c38999/2022/1xxx/CVE-2022-1798.json
• web: GHSA-qv98-3369-g364
• Imported by: https://pkg.go.dev/github.com/kubevirt/kubevirt?tab=importedby

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/kubevirt/kubevirt
    packages:
      - package: Kubevirt
description: |
    A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.
cves:
  - CVE-2022-1798
credit: "Oliver Brooks and James Klopchic of NCC Group\tDiane Dubois and Roman Mohr
    of Google"
references:
  - web: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364

[tatianab]

Duplicate of #1000