CVE-2020-28914

low-risk

Published 2020-11-17

An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

LOCAL / LOW complexity

Affected Products (1)

Kata-Containers

Affected Vendors

Katacontainers

References (10)

Third Party Advisory https://github.com/kata-containers/kata-containers/pull/1062

Third Party Advisory https://github.com/kata-containers/runtime/pull/3042

Third Party Advisory https://github.com/kata-containers/runtime/pull/3051

Release Notes https://github.com/kata-containers/runtime/releases/tag/1.11.5

Release Notes https://github.com/kata-containers/runtime/releases/tag/1.12.0

Third Party Advisory https://github.com/kata-containers/kata-containers/pull/1062

Third Party Advisory https://github.com/kata-containers/runtime/pull/3042

Third Party Advisory https://github.com/kata-containers/runtime/pull/3051

Release Notes https://github.com/kata-containers/runtime/releases/tag/1.11.5

Release Notes https://github.com/kata-containers/runtime/releases/tag/1.12.0

/ 100

low-risk

Severity 22/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal