CVE-2020-2023

low-risk
Published 2020-06-10

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

Do I need to act?

~
1.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.8/10 Low
LOCAL / LOW complexity

Affected Products (1)

Runtime

Affected Vendors

Katacontainers

References (14)

Third Party Advisory https://github.com/kata-containers/agent/issues/791
Patch https://github.com/kata-containers/agent/pull/792
Patch https://github.com/kata-containers/runtime/issues/2488
Patch https://github.com/kata-containers/runtime/pull/2477
Patch https://github.com/kata-containers/runtime/pull/2487
Release Notes https://github.com/kata-containers/runtime/releases/tag/1.10.5
Release Notes https://github.com/kata-containers/runtime/releases/tag/1.11.1
Third Party Advisory https://github.com/kata-containers/agent/issues/791
Patch https://github.com/kata-containers/agent/pull/792
Patch https://github.com/kata-containers/runtime/issues/2488
Patch https://github.com/kata-containers/runtime/pull/2477
Patch https://github.com/kata-containers/runtime/pull/2487
Release Notes https://github.com/kata-containers/runtime/releases/tag/1.10.5
Release Notes https://github.com/kata-containers/runtime/releases/tag/1.11.1
24
/ 100
low-risk
Severity 14/34 · Moderate
Exploitability 5/34 · Minimal
Exposure 5/34 · Minimal