Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg3N3gtMzJwbS1wMjh4
Link Following in Kata Runtime
A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.
Permalink: https://github.com/advisories/GHSA-877x-32pm-p28xJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg3N3gtMzJwbS1wMjh4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-877x-32pm-p28x, CVE-2020-2026
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2026
- https://github.com/kata-containers/runtime/issues/2712
- https://github.com/kata-containers/runtime/pull/2713
- https://github.com/kata-containers/runtime/releases/tag/1.10.5
- https://github.com/kata-containers/runtime/releases/tag/1.11.1
- https://lists.fedoraproject.org/archives/list/[email protected]/message/2P7FHA4AF6Y6PAVJBTTQPUEHXZQUOF3P/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/6JPBKAQBF3OR72N55GWM2TDYQP2OHK6H/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/6W5MKF7HSAIL2AX2BX6RV4WWVGUIKVLS/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NJAMOVB7DSOGX7J26QH5HZKU7GSSX2VU/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/QNJHSSPCKUGJDVXXIXK2JUWCRJDQX7CE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/XWACJQSMY5BVDMVTF3FBN7HZSOSFOG3Q/
- https://github.com/advisories/GHSA-877x-32pm-p28x
Blast Radius: 5.3
Affected Packages
go:github.com/kata-containers/runtime
Dependent packages: 3Dependent repositories: 4
Downloads:
Affected Version Ranges: = 1.11.0, >= 1.10.0, <= 1.10.5, <= 1.9
Fixed in: 1.11.1, 1.10.6, 1.9.1
All affected versions:
All unaffected versions: