Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/kata-containers/agent(Go) | 0 | 1.9.1 | N/A |
| github.com/kata-containers/agent(Go) | 1.10.0 | 1.10.5 | N/A |
| github.com/kata-containers/agent(Go) | 1.11.0 | 1.11.1 | N/A |
| github.com/kata-containers/runtime(Go) | 0 | 1.9.1 | N/A |
| github.com/kata-containers/runtime(Go) | 1.10.0 | 1.10.5 | N/A |
| github.com/kata-containers/runtime(Go) | 1.11.0 | 1.11.1 | N/A |
CVSS Metrics
