Execution with Unnecessary Privileges

CVE-2020-2023

Medium

6.3/10

Summary

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-250 - Execution with Unnecessary Privileges

The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

References

Advisory
Pull request
Pull request
Pull request
1.10.5
1.11.1

Advisory Timeline

Published Jun 10, 2020

Execution with Unnecessary Privileges

CVE-2020-2023

Summary

CWE-250 - Execution with Unnecessary Privileges

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS