CVE-2020-24264
moderate-risk
Published 2021-03-16
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
Do I need to act?
~
5.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Portainer
Affected Vendors
References (2)
Third Party Advisory
https://github.com/portainer/portainer/issues/4106
Third Party Advisory
https://github.com/portainer/portainer/issues/4106
45
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
8/34 · Low
Exposure
5/34 · Minimal