Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY5Nzgtdmcyai1jYzlx
Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers
Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.
Permalink: https://github.com/advisories/GHSA-6978-vg2j-cc9qJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY5Nzgtdmcyai1jYzlx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-6978-vg2j-cc9q, CVE-2020-2023
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2023
- https://github.com/kata-containers/agent/issues/791
- https://github.com/kata-containers/runtime/issues/2488
- https://github.com/kata-containers/agent/pull/792
- https://github.com/kata-containers/runtime/pull/2477
- https://github.com/kata-containers/runtime/pull/2487
- https://github.com/kata-containers/runtime/releases/tag/1.10.5
- https://github.com/kata-containers/runtime/releases/tag/1.11.1
- https://github.com/advisories/GHSA-6978-vg2j-cc9q
Blast Radius: 8.9
Affected Packages
go:github.com/kata-containers/runtime
Dependent packages: 3Dependent repositories: 4
Downloads:
Affected Version Ranges: >= 1.11.0, < 1.11.1, >= 1.10.0, < 1.10.5, <= 1.9
Fixed in: 1.11.1, 1.10.5, 1.9.1
All affected versions:
All unaffected versions:
go:github.com/kata-containers/agent
Dependent packages: 0Dependent repositories: 8
Downloads:
Affected Version Ranges: >= 1.11.0, < 1.11.1, >= 1.10.0, < 1.10.5, <= 1.9
Fixed in: 1.11.1, 1.10.5, 1.9.1
All affected versions:
All unaffected versions: