CVE-2020-2026 – github.com/kata-containers/runtime

Package

Manager: go
Name: github.com/kata-containers/runtime
Vulnerable Version: >=0 <1.9.1 || >=1.10.0 <1.10.6 || =1.11.0 || >=1.11.0 <1.11.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00211 pctl0.43642

Details

Link Following in Kata Runtime A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.

Metadata

Created: 2022-02-15T01:57:18Z
Modified: 2021-05-13T19:28:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-877x-32pm-p28x/GHSA-877x-32pm-p28x.json
CWE IDs: ["CWE-59"]
Alternative ID: GHSA-877x-32pm-p28x
Finding: F076
Auto approve: 1