#VU34360 Link following in Runtime - CVE-2020-2026
Published: June 10, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34360
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear
CVE-ID: CVE-2020-2026
CWE-ID: CWE-59
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Runtime
Runtime
Software vendor:
Kata Containers
Kata Containers
Description
The vulnerability allows a local authenticated user to execute arbitrary code.
A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.
Remediation
Install update from vendor's website.