CVE-2020-8552Memory Allocation with Excessive Size Value in Kubernetes

CWE-789Memory Allocation with Excessive Size ValueCWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption9 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 77.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
KubernetesK8s.io ApiserverDebian Kubernetes+1 more
Timeline
PublishedMar 27
Latest updateFeb 15

Description

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

Gok8s.io/apiserver0.16.00.16.7+2
debiandebian/kubernetes< kubernetes 1.17.4-1 (bookworm)
CVEListV5kubernetes/kubernetesunspecifiedv1.17.3+2
Debiankubernetes/kubernetes< 1.17.4-1+3
NVDkubernetes/kubernetes1.16.01.16.6+2

Also affects: Fedora 32

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Kubernetes API Server DoS Via API Requests2022-02-15
OSV
Kubernetes API Server DoS Via API Requests2022-02-15
OSV
CVE-2020-8552: The Kubernetes API server component in versions prior to 12020-03-27

📋Vendor Advisories

2
Red Hat
kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion2020-03-23
Debian
CVE-2020-8552: kubernetes - The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, ...2020

💬Community

3
Bugzilla
CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion [fedora-all]2020-03-23
Bugzilla
CVE-2020-8552 origin: kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion [fedora-all]2020-03-23
Bugzilla
CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion2020-02-04
CVE-2020-8552 — Kubernetes vulnerability | cvebase