The kubeVirt API is affected by an arbitrary file read vulnerability. It is possible to use the KubeVirt API to provide access to host files (like /etc/passwd for example) in a KubeVirt VM as a disk device that can be written to and read from.
This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:6351 https://access.redhat.com/errata/RHSA-2022:6351
This issue has been addressed in the following products: RHEL-8-CNV-4.11 Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526
This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2022:6681 https://access.redhat.com/errata/RHSA-2022:6681
This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2022:6890 https://access.redhat.com/errata/RHSA-2022:6890
This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1798