x/vulndb: potential Go vuln in github.com/kata-containers/runtime: CVE-2020-27151

[tatianab]

CVE-2020-27151 references github.com/kata-containers/runtime, which may be a Go module.

Description:
An issue was discovered in Kata Containers through 1.11.3 and 2.x through 2.0-rc1. The runtime will execute binaries given using annotations without any kind of validation. Someone who is granted access rights to a cluster will be able to have kata-runtime execute arbitrary binaries as root on the worker nodes.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-27151
• web: https://bugs.launchpad.net/katacontainers.io/+bug/1878234
• web: https://github.com/kata-containers/runtime/releases/tag/1.12.0
• web: https://github.com/kata-containers/runtime/releases/tag/1.11.5
• web: https://github.com/kata-containers/kata-containers/releases/tag/2.0.0
• Imported by: https://pkg.go.dev/github.com/kata-containers/runtime?tab=importedby

Cross references:

• Module github.com/kata-containers/runtime appears in issue x/vulndb: potential Go vuln in github.com/kata-containers/runtime: GHSA-6978-vg2j-cc9q #801 NOT_IMPORTABLE
• Module github.com/kata-containers/runtime appears in issue x/vulndb: potential Go vuln in github.com/kata-containers/runtime: GHSA-877x-32pm-p28x #811 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/kata-containers/runtime
      vulnerable_at: 0.0.0-20210505125100-04f29832a923
      packages:
        - package: n/a
cves:
    - CVE-2020-27151
references:
    - web: https://bugs.launchpad.net/katacontainers.io/+bug/1878234
    - web: https://github.com/kata-containers/runtime/releases/tag/1.12.0
    - web: https://github.com/kata-containers/runtime/releases/tag/1.11.5
    - web: https://github.com/kata-containers/kata-containers/releases/tag/2.0.0

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports