CVE-2020-2023 Information

Feb 14, 2021 cve

Description

Kata Containers doesn’t restrict containers from accessing the guest’s root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Reference

https://github.com/kata-containers/agent/issues/791 https://github.com/kata-containers/agent/pull/792 https://github.com/kata-containers/runtime/issues/2488 https://github.com/kata-containers/runtime/pull/2477 https://github.com/kata-containers/runtime/pull/2487 https://github.com/kata-containers/runtime/releases/tag/1.10.5 https://github.com/kata-containers/runtime/releases/tag/1.11.1

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

6.3

Share on: