CVE-2020-24264
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
Portainer versiones 1.24.1 y anteriores, están afectados por un control de acceso incorrecto que puede conllevar a una ejecución de código arbitraria remota. Las comprobaciones de restricción para los montajes de enlace se aplican solo en el lado del cliente y no en el lado del servidor, lo que puede conllevar a generar un contenedor con montaje de enlace. Una vez que es generado un contenedor de este tipo, puede ser aprovechado para salir del contenedor y completar la toma de control de la máquina host de Docker
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-08-13 CVE Reserved
- 2021-03-16 CVE Published
- 2024-08-04 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/portainer/portainer/issues/4106 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Portainer Search vendor "Portainer" | Portainer Search vendor "Portainer" for product "Portainer" | <= 1.24.1 Search vendor "Portainer" for product "Portainer" and version " <= 1.24.1" | - |
Affected
| ||||||