x/vulndb: potential Go vuln in github.com/kata-containers/runtime: CVE-2020-2025

[tatianab]

CVE-2020-2025 references github.com/kata-containers/runtime, which may be a Go module.

Description:
Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect QEMU and Firecracker based guests.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2025
• fix: clh: update CLH to stable/v0.5.x kata-containers/runtime#2487
• Imported by: https://pkg.go.dev/github.com/kata-containers/runtime?tab=importedby

Cross references:

• Module github.com/kata-containers/runtime appears in issue x/vulndb: potential Go vuln in github.com/kata-containers/runtime: GHSA-6978-vg2j-cc9q #801 NOT_IMPORTABLE
• Module github.com/kata-containers/runtime appears in issue x/vulndb: potential Go vuln in github.com/kata-containers/runtime: GHSA-877x-32pm-p28x #811 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/kata-containers/runtime
      vulnerable_at: 0.0.0-20210505125100-04f29832a923
      packages:
        - package: Kata Containers
cves:
    - CVE-2020-2025
credits:
    - Yuval Avrahami, Palo Alto Networks
references:
    - fix: https://github.com/kata-containers/runtime/pull/2487

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports