CVE-2020-24264
CRITICALPortainer < 1.24.1 - Incorrect Authorization Leading to Remote Code Execution via Bind Mount Bypass
Title source: llmDescription
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/portainer/portainer/issues/4106
Scores
CVSS v3
9.8
EPSS
0.0412
EPSS Percentile
89.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (1)
portainer/portainer
< 1.24.1
Published
Mar 16, 2021
Tracked Since
Feb 18, 2026