#VU34359 Improper Privilege Management in Runtime - CVE-2020-2023
Published: June 10, 2020 / Updated: May 9, 2023
Vulnerability identifier: #VU34359
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/U:Clear
CVE-ID: CVE-2020-2023
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vulnerable software:
Runtime
Runtime
Software vendor:
Kata Containers
Kata Containers
Description
The vulnerability allows a local authenticated user to read and manipulate data.
Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.
Remediation
Install update from vendor's website.
External links
- https://github.com/kata-containers/agent/issues/791
- https://github.com/kata-containers/agent/pull/792
- https://github.com/kata-containers/runtime/issues/2488
- https://github.com/kata-containers/runtime/pull/2477
- https://github.com/kata-containers/runtime/pull/2487
- https://github.com/kata-containers/runtime/releases/tag/1.10.5
- https://github.com/kata-containers/runtime/releases/tag/1.11.1