GHSA-6978-vg2j-cc9q

Suggest an improvement
Source
https://github.com/advisories/GHSA-6978-vg2j-cc9q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6978-vg2j-cc9q/GHSA-6978-vg2j-cc9q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6978-vg2j-cc9q
Aliases
Published
2022-02-15T01:57:18Z
Modified
2023-11-08T04:02:48.321662Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers
Details

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

References

Affected packages

Go / github.com/kata-containers/agent

Package

Name
github.com/kata-containers/agent
View open source insights on deps.dev
Purl
pkg:golang/github.com/kata-containers/agent

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.1

Database specific

{
    "last_known_affected_version_range": "<= 1.9"
}

Go / github.com/kata-containers/agent

Package

Name
github.com/kata-containers/agent
View open source insights on deps.dev
Purl
pkg:golang/github.com/kata-containers/agent

Affected ranges

Type
SEMVER
Events
Introduced
1.10.0
Fixed
1.10.5

Go / github.com/kata-containers/agent

Package

Name
github.com/kata-containers/agent
View open source insights on deps.dev
Purl
pkg:golang/github.com/kata-containers/agent

Affected ranges

Type
SEMVER
Events
Introduced
1.11.0
Fixed
1.11.1

Go / github.com/kata-containers/runtime

Package

Name
github.com/kata-containers/runtime
View open source insights on deps.dev
Purl
pkg:golang/github.com/kata-containers/runtime

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.1

Database specific

{
    "last_known_affected_version_range": "<= 1.9"
}

Go / github.com/kata-containers/runtime

Package

Name
github.com/kata-containers/runtime
View open source insights on deps.dev
Purl
pkg:golang/github.com/kata-containers/runtime

Affected ranges

Type
SEMVER
Events
Introduced
1.10.0
Fixed
1.10.5

Go / github.com/kata-containers/runtime

Package

Name
github.com/kata-containers/runtime
View open source insights on deps.dev
Purl
pkg:golang/github.com/kata-containers/runtime

Affected ranges

Type
SEMVER
Events
Introduced
1.11.0
Fixed
1.11.1