CVE-2020-8551
published 2020-03-27CVE-2020-8551: The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet…
PriorityP428medium6.5CVSS 3.1
AVAACLPRNUINSUCNINAH
EPSS
1.14%
62.6th percentile
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.17.4-1 (bookworm) | kubernetes 1.17.4-1 (bookworm) |
| fedoraproject | fedora | — | — |
| k8s.io | kubernetes | >= 1.15.0 < 1.15.10 | 1.15.10 |
| k8s.io | kubernetes | >= 1.16.0 < 1.16.6 | 1.16.6 |
| k8s.io | kubernetes | >= 1.17.0 < 1.17.2 | 1.17.2 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | >= 0 < 1.17.4-1 | 1.17.4-1 |
| kubernetes | kubernetes | 1.15.0 – 1.15.9 | — |
| kubernetes | kubernetes | 1.16.0 – 1.16.6 | — |
| kubernetes | kubernetes | 1.17.0 – 1.17.2 | — |
| kubernetes | kubernetes | >= unspecified < v1.17.3 | v1.17.3 |
| kubernetes | kubernetes | >= unspecified < v1.16.7 | v1.16.7 |
| kubernetes | kubernetes | >= unspecified < v1.15.10 | v1.15.10 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.03.3LOWAV:A/AC:L/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes
osv·2024-08-21
CVE-2020-8551 Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes
OSV
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
osv·2022-02-15
CVE-2020-8551 [MEDIUM] Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
GHSA
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
ghsa·2022-02-15
CVE-2020-8551 [MEDIUM] CWE-770 Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
OSV
CVE-2020-8551: The Kubelet component in versions 1
osv·2020-03-27·CVSS 6.5
CVE-2020-8551 [MEDIUM] CVE-2020-8551: The Kubelet component in versions 1
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Red Hat
kubernetes: crafted requests to kubelet API allow for memory exhaustion
vendor_redhat·2020-03-23·CVSS 4.3
CVE-2020-8551 [MEDIUM] CWE-400 kubernetes: crafted requests to kubelet API allow for memory exhaustion
kubernetes: crafted requests to kubelet API allow for memory exhaustion
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash.
Statement: By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on ear
Debian
CVE-2020-8551: kubernetes - The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17....
vendor_debian·2020·CVSS 4.3
CVE-2020-8551 [MEDIUM] CVE-2020-8551: kubernetes - The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17....
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Scope: local
bookworm: resolved (fixed in 1.17.4-1)
bullseye: resolved (fixed in 1.17.4-1)
forky: resolved (fixed in 1.17.4-1)
sid: resolved (fixed in 1.17.4-1)
trixie: resolved (fixed in 1.17.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]
bugzilla·2020-03-23·CVSS 4.3
CVE-2020-8551 [MEDIUM] CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]
CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
Bugzilla
CVE-2020-8551 origin: kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]
bugzilla·2020-03-23·CVSS 4.3
CVE-2020-8551 [MEDIUM] CVE-2020-8551 origin: kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]
CVE-2020-8551 origin: kubernetes: crafted requests to kubelet API allow for memory exhaustion [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion
bugzilla·2020-03-23·CVSS 4.3
CVE-2020-8551 [MEDIUM] CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion
CVE-2020-8551 kubernetes: crafted requests to kubelet API allow for memory exhaustion
The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Discussion:
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 1816405]
Created origin tracking bugs for this issue:
Affects: fedora-all [bug 1816406]
---
Mitigation:
Prevent unauthenticated or unauthorized access to the Kubelet API
---
Probably the reason kubelets before 1.15.0 are unaffected is the lack of this commit, which added kubelet http metrics:
https://github.com/kubernetes/kubernetes/commit/538cd87864ee18fa0ae31b20b39728ada
Bugzilla
CVE-2019-8551 webkitgtk: malicious web content leads to cross site scripting
bugzilla·2019-06-11·CVSS 6.1
CVE-2019-8551 [MEDIUM] CVE-2019-8551 webkitgtk: malicious web content leads to cross site scripting
CVE-2019-8551 webkitgtk: malicious web content leads to cross site scripting
Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was addressed with improved validation.
Reference:
https://webkitgtk.org/security/WSA-2019-0002.html
https://wpewebkit.org/security/WSA-2019-0002.html
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:4035 https://access.redhat.com/errata/RHSA-2020:4035
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-8551
https://github.com/kubernetes/kubernetes/issues/89377https://groups.google.com/forum/#%21topic/kubernetes-security-announce/2UOlsba2g0shttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/https://security.netapp.com/advisory/ntap-20200413-0003/https://github.com/kubernetes/kubernetes/issues/89377https://groups.google.com/forum/#%21topic/kubernetes-security-announce/2UOlsba2g0shttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/https://security.netapp.com/advisory/ntap-20200413-0003/
2020-03-27
Published