CVE-2020-8555
Kubernetes kube-controller-manager SSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
El Kubernetes kube-controller-manager en las versiones v1.0-1.14, versiones anteriores a v1.15.12, v1.16.9, v1.17.5 y v1.18.0, son vulnerables a un ataque de tipo Server Side Request Forgery (SSRF) que permite que determinados usuarios autorizados pierdan hasta 500 bytes de informaciĆ³n arbitraria de endpoints desprotegidos dentro de la red host del maestro (tales como los servicios link-local o loopback)
A server side request forgery (SSRF) flaw was found in Kubernetes. The kube-controller-manager allows authorized users with the ability to create StorageClasses or certain Volume types to leak up to 500 bytes of arbitrary information from the master's host network. This can include secrets from the kube-apiserver through the unauthenticated localhost port (if enabled).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-02-03 CVE Reserved
- 2020-06-04 CVE Published
- 2024-09-16 CVE Updated
- 2024-09-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2020/06/01/4 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2021/05/04/8 | Mailing List |
|
| https://github.com/kubernetes/kubernetes/issues/91542 | Third Party Advisory | |
| https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion | Mailing List | |
| https://security.netapp.com/advisory/ntap-20200724-0005 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | < 1.15.11 Search vendor "Kubernetes" for product "Kubernetes" and version " < 1.15.11" | - |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.16.0 < 1.16.9 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.16.0 < 1.16.9" | - |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | >= 1.17.0 < 1.17.5 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.17.0 < 1.17.5" | - |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Kubernetes Search vendor "Kubernetes" for product "Kubernetes" | 1.18.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.18.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||