CVE-2020-2026

Published: Jun 10, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.0 / Impact: 6.0

Source: NVD

Description

A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions.

Affected (4)

Products: Katacontainers: Runtime · Fedoraproject: Fedora

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Katacontainers Runtime	Up to 1.9
Katacontainers Runtime	From 1.10 to 1.10.5
Katacontainers Runtime	From 1.11 to 1.11.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (20)

https://github.com/kata-containers/runtime/issues/2712

Source: psirt@paloaltonetworks.com

Third Party Advisory

https://github.com/kata-containers/runtime/pull/2713

Source: psirt@paloaltonetworks.com

Third Party Advisory

https://github.com/kata-containers/runtime/releases/tag/1.10.5

Source: psirt@paloaltonetworks.com

Release NotesThird Party Advisory

https://github.com/kata-containers/runtime/releases/tag/1.11.1

Source: psirt@paloaltonetworks.com

Release NotesThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P7FHA4AF6Y6PAVJBTTQPUEHXZQUOF3P/

Source: psirt@paloaltonetworks.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6JPBKAQBF3OR72N55GWM2TDYQP2OHK6H/

Source: psirt@paloaltonetworks.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6W5MKF7HSAIL2AX2BX6RV4WWVGUIKVLS/

Source: psirt@paloaltonetworks.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJAMOVB7DSOGX7J26QH5HZKU7GSSX2VU/

Source: psirt@paloaltonetworks.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNJHSSPCKUGJDVXXIXK2JUWCRJDQX7CE/

Source: psirt@paloaltonetworks.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWACJQSMY5BVDMVTF3FBN7HZSOSFOG3Q/

Source: psirt@paloaltonetworks.com

https://github.com/kata-containers/runtime/issues/2712

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/kata-containers/runtime/pull/2713

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/kata-containers/runtime/releases/tag/1.10.5

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/kata-containers/runtime/releases/tag/1.11.1

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P7FHA4AF6Y6PAVJBTTQPUEHXZQUOF3P/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6JPBKAQBF3OR72N55GWM2TDYQP2OHK6H/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6W5MKF7HSAIL2AX2BX6RV4WWVGUIKVLS/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJAMOVB7DSOGX7J26QH5HZKU7GSSX2VU/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNJHSSPCKUGJDVXXIXK2JUWCRJDQX7CE/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWACJQSMY5BVDMVTF3FBN7HZSOSFOG3Q/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.