GHSA-877x-32pm-p28x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-877x-32pm-p28x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-877x-32pm-p28x/GHSA-877x-32pm-p28x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-877x-32pm-p28x
- Aliases
- Published
- 2022-02-15T01:57:18Z
- Modified
- 2023-11-08T04:02:48.383045Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Link Following in Kata Runtime
- Details
-
A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.
- Database specific
{ "nvd_published_at": "2020-06-10T18:15:00Z", "cwe_ids": [ "CWE-59" ], "github_reviewed_at": "2021-05-13T19:28:33Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-2026
- https://github.com/kata-containers/runtime/issues/2712
- https://github.com/kata-containers/runtime/pull/2713
- https://github.com/kata-containers/runtime/releases/tag/1.10.5
- https://github.com/kata-containers/runtime/releases/tag/1.11.1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P7FHA4AF6Y6PAVJBTTQPUEHXZQUOF3P
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JPBKAQBF3OR72N55GWM2TDYQP2OHK6H
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6W5MKF7HSAIL2AX2BX6RV4WWVGUIKVLS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJAMOVB7DSOGX7J26QH5HZKU7GSSX2VU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNJHSSPCKUGJDVXXIXK2JUWCRJDQX7CE
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWACJQSMY5BVDMVTF3FBN7HZSOSFOG3Q
Affected packages
Go
github.com/kata-containers/runtime
Package
- Name
- github.com/kata-containers/runtime
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/kata-containers/runtime
github.com/kata-containers/runtime
Package
- Name
- github.com/kata-containers/runtime
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/kata-containers/runtime
github.com/kata-containers/runtime
Package
- Name
- github.com/kata-containers/runtime
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/kata-containers/runtime