CVE-2020-8551 — Memory Allocation with Excessive Size Value in Kubernetes

CWE-789 — Memory Allocation with Excessive Size Value CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption12 documents7 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.6%

top 30.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes Fedoraproject Fedora

Timeline

PublishedMar 27

Latest updateAug 21

Description

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Gok8s.io/kubernetes1.15.0 — 1.15.10+2

▶CVEListV5kubernetes/kubernetesunspecified — v1.17.3+2

▶Debiankubernetes/kubernetes< 1.17.4-1+3

▶NVDkubernetes/kubernetes1.15.0 — 1.15.9+2

Also affects: Fedora 32

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes↗2024-08-21

▶

OSV

Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes↗2022-02-15

▶

GHSA

Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes↗2022-02-15

▶

OSV

CVE-2020-8551: The Kubelet component in versions 1↗2020-03-27

▶

CVEList

Kubernetes kubelet denial of service↗2020-03-27

▶

📋Vendor Advisories

Red Hat

kubernetes: crafted requests to kubelet API allow for memory exhaustion↗2020-03-23

▶

Debian

CVE-2020-8551: kubernetes - The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17....↗2020

▶

💬Community

Bugzilla

CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]↗2020-03-23

▶

Bugzilla

CVE-2020-8551 origin: kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]↗2020-03-23

▶

Bugzilla

CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion↗2020-03-23

▶

Bugzilla

CVE-2019-8551 webkitgtk: malicious web content leads to cross site scripting↗2019-06-11

▶