The Kata agent policies generated by the Contrast CLI had an issue in the CopyFile verification, which allowed arbitrary writes to the guest root filesytem. A malicious process on the host with the capability to connect to the Kata agent VSOCK could connect to the agent and issue a series of CopyFile requests to overwrite security-critical files or trick the workload into disclosing sensitive data, which effectively amounts to a full guest takeover.
This issue has been patched in Contrast v1.19.1.
Note that this fix does not change the fact that host-provided content is generally not trustworthy, as documented.
If upgrading is not possible, users can implement the fix in rego and pass it to contrast generate --policy. The rego-only fix is a bit trickier than the patch, because the data to check is binary. See the references for details.
1.19.1Exploitability
AV:AAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:N8.1/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N