CVE-2020-2023

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

Published: Jun 10, 2020
Updated: May 9, 2024
CVE: CVE-2020-2023
GHSA: GHSA-6978-vg2j-cc9q
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.3
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVSS v2:

Severity: Low
Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
katacontainers / runtime	1.10	1.10.5
katacontainers / runtime	1.11	1.11.1
katacontainers / runtime	-	1.9.x
github.com/kata-containers/agent	-	1.9.1
github.com/kata-containers/agent	1.10.0	1.10.5
github.com/kata-containers/agent	1.11.0	1.11.1
github.com/kata-containers/runtime	-	1.9.1
github.com/kata-containers/runtime	1.10.0	1.10.5
github.com/kata-containers/runtime	1.11.0	1.11.1

Vulnerability Database

CVE-2020-2023

Deep Security Visibility Without the Complexity