CVE-2020-2023 — Improper Privilege Management and Execution with Unnecessary Privileges in Kata

Description

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

How to fix CVE-2020-2023

To remediate CVE-2020-2023, upgrade the affected package to a fixed version below.

—upgrade to 1.9.1 or later
—upgrade to 1.9.1 or later

Is CVE-2020-2023 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.9.1
from 0, < 1.9.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2023
PATCHgithub.com/kata-containers
WEBgithub.com/kata-containers/agent/issues/791
WEBgithub.com/kata-containers/agent/pull/792
WEBgithub.com