CVE-2020-2023 – github.com/kata-containers/runtime

Package

Manager: go
Name: github.com/kata-containers/runtime
Vulnerable Version: >=0 <1.9.1 || >=1.10.0 <1.10.5 || >=1.11.0 <1.11.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01505 pctl0.80469

Details

Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

Metadata

Created: 2022-02-15T01:57:18Z
Modified: 2021-10-20T17:38:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6978-vg2j-cc9q/GHSA-6978-vg2j-cc9q.json
CWE IDs: ["CWE-250", "CWE-269"]
Alternative ID: GHSA-6978-vg2j-cc9q
Finding: F159
Auto approve: 1