9.8

CVSS Score

Basic Information

CVE ID

CVE-2020-2023

GHSA ID

GHSA-6978-vg2j-cc9q

EPSS Score

CWE

CWE-250

Published

2/15/2022

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2023

CVE-2020-2023:
Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2020-2023

GHSA ID

GHSA-6978-vg2j-cc9q

EPSS Score

CWE

CWE-250

Published

2/15/2022

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/kata-containers/agent	go	<= 1.9	1.9.1
github.com/kata-containers/agent	go	>= 1.10.0, < 1.10.5	1.10.5
github.com/kata-containers/agent	go	>= 1.11.0, < 1.11.1	1.11.1
github.com/kata-containers/runtime	go	<= 1.9	1.9.1
github.com/kata-containers/runtime	go	>= 1.10.0, < 1.10.5	1.10.5
github.com/kata-containers/runtime	go	>= 1.11.0, < 1.11.1	1.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing device cgroup restrictions in container creation. The key patch adds updateDeviceCgroupForGuestRootfs() call in agentGRPC.CreateContainer, indicating this was the execution point where security controls were previously absent. The function signature matches the gRPC endpoint that would be invoked during container initialization, making it the primary vulnerable entry point visible in runtime traces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

K*t* *ont*in*rs *o*sn't r*stri*t *ont*in*rs *rom ****ssin* t** *u*st's root *il*syst*m **vi**. M*li*ious *ont*in*rs **n *xploit t*is to **in *o** *x**ution on t** *u*st *n* m*squ*r*** *s t** k*t*-***nt. T*is issu* *****ts K*t* *ont*in*rs *.** v*rsion

Reasoning

T** vuln*r**ility st*ms *rom missin* **vi** **roup r*stri*tions in *ont*in*r *r**tion. T** k*y p*t** ***s up**t***vi****roup*or*u*stRoot*s() **ll in ***nt*RP*.*r**t**ont*in*r, in*i**tin* t*is w*s t** *x**ution point w**r* s**urity *ontrols w*r* pr*vi

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-2023: Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-2023:
Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers

Vulnerability Intelligence
Miggo AI