CVE-2020-8554
published 2021-01-21CVE-2020-8554: Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to…
PriorityP338medium5CVSS 3.1
AVNACHPRLUINSUCLILAL
EPSS
9.27%
94.7th percentile
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.31.4+ds-1 (forky) | kubernetes 1.31.4+ds-1 (forky) |
| github.com | cloudnativelabs_kube-router_v2 | >= 0 < 2.8.0 | 2.8.0 |
| k8s.io | kubernetes | 0 – 1.22.0 | — |
| kubernetes | kubernetes | < * | * |
| kubernetes | kubernetes | >= 0 < 1.31.4+ds-1 | 1.31.4+ds-1 |
| kubernetes | kubernetes | >= 0 < 1.31.4+ds-1 | 1.31.4+ds-1 |
| msrc | azl3_kubernetes_1.28.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.10-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-kubernetes_21.7.0-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_kubernetes_1.28.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-kubernetes_21.7.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_kubernetes_1.22.4-2_on_cbl_mariner_1.0 | — | — |
| oracle | communications_cloud_native_core_network_slice_selection_function | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | communications_cloud_native_core_service_communication_proxy | — | — |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_debian6.3LOW
vendor_redhat6.3MEDIUM
vendor_msrc5.0MEDIUM
vendor_oracle5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Policy (Kubernetes) — CVE-2020-8554
vendor_oracle·2022-04-15·CVSS 5.0
CVE-2020-8554 [MEDIUM] Oracle Oracle Communications Risk Matrix: Policy (Kubernetes) — CVE-2020-8554
Oracle Oracle Communications Risk Matrix: Policy (Kubernetes) vulnerability
CVE: CVE-2020-8554
CVSS: 5.0
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Oracle
Oracle Oracle Communications Risk Matrix: SCP (Kubernetes API) — CVE-2020-8554
vendor_oracle·2022-01-15·CVSS 5.0
CVE-2020-8554 [MEDIUM] Oracle Oracle Communications Risk Matrix: SCP (Kubernetes API) — CVE-2020-8554
Oracle Oracle Communications Risk Matrix: SCP (Kubernetes API) vulnerability
CVE: CVE-2020-8554
CVSS: 5.0
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2022 (JAN 2022)
Microsoft
Kubernetes man in the middle using LoadBalancer or ExternalIPs
vendor_msrc·2021-01-12·CVSS 5.0
CVE-2020-8554 [MEDIUM] CWE-283 Kubernetes man in the middle using LoadBalancer or ExternalIPs
Kubernetes man in the middle using LoadBalancer or ExternalIPs
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Referen
Red Hat
kubernetes: MITM using LoadBalancer or ExternalIPs
vendor_redhat·2020-12-07·CVSS 6.3
CVE-2020-8554 [MEDIUM] CWE-200 kubernetes: MITM using LoadBalancer or ExternalIPs
kubernetes: MITM using LoadBalancer or ExternalIPs
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
A flaw was found in kubernetes. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.
Statement: OpenShift Container Platform (OCP) includes a builtin externalIP admission plugin, which restricts the use of Service eternalIPs to thos
Debian
CVE-2020-8554: kubernetes - Kubernetes API server in all versions allow an attacker who is able to create a ...
vendor_debian·2020·CVSS 6.3
CVE-2020-8554 [MEDIUM] CVE-2020-8554: kubernetes - Kubernetes API server in all versions allow an attacker who is able to create a ...
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.31.4+ds-1)
sid: resolved (fixed in 1.31.4+ds-1)
trixie: resolved (fixed in 1.31.4+ds-1)
OSV
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
osv·2026-03-17·CVSS 5.0
CVE-2026-32254 [MEDIUM] Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
# kube-router Proxy Module Does Not Validate ExternalIPs or LoadBalancer IPs Against Configured Ranges
## Summary
This issue primarily affects multi-tenant clusters where untrusted users are granted namespace-scoped permissions to create or modify Services. Single-tenant clusters or clusters where all Service creators are trusted are not meaningfully affected.
The kube-router proxy module's `buildServicesInfo()` function directly copies IPs from `Service.spec.externalIPs` and `status.loadBalancer.ingress` into node-level network configuration (kube-dummy-if interface, IPVS virtual services, LOCAL routing table) without validating them against the `--service-external-
GHSA
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
ghsa·2026-03-17·CVSS 5.0
CVE-2026-32254 [MEDIUM] CWE-284 Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS
# kube-router Proxy Module Does Not Validate ExternalIPs or LoadBalancer IPs Against Configured Ranges
## Summary
This issue primarily affects multi-tenant clusters where untrusted users are granted namespace-scoped permissions to create or modify Services. Single-tenant clusters or clusters where all Service creators are trusted are not meaningfully affected.
The kube-router proxy module's `buildServicesInfo()` function directly copies IPs from `Service.spec.externalIPs` and `status.loadBalancer.ingress` into node-level network configuration (kube-dummy-if interface, IPVS virtual services, LOCAL routing table) without validating them against the `--service-external-
OSV
Unverified Ownership in Kubernetes
osv·2022-02-08
CVE-2020-8554 [MEDIUM] Unverified Ownership in Kubernetes
Unverified Ownership in Kubernetes
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
GHSA
Unverified Ownership in Kubernetes
ghsa·2022-02-08
CVE-2020-8554 [MEDIUM] CWE-283 Unverified Ownership in Kubernetes
Unverified Ownership in Kubernetes
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
OSV
CVE-2020-8554: Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec
osv·2021-01-21·CVSS 5.0
CVE-2020-8554 [MEDIUM] CVE-2020-8554: Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws
blogs_bleepingcomputer·2023-11-14·CVSS 7.8
[HIGH] Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws
## Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws
## Lawrence Abrams
16 Elevation of Privilege Vulnerabilities
6 Security Feature Bypass Vulnerabilities
15 Remote Code Execution Vulnerabilities
6 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
11 Spoofing Vulnerabilities
The total count of 58 flaws does not include 5 Mariner security updates and 20 Microsoft Edge security updates released earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5032190 cumulative update and Windows 10 KB5032189 cumulative update .
## Five zero-days fixed
This month's Patch Tuesday fixes five zero-day vulnerabilities, with three exploited in attacks and three publicl
Unit42
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
blogs_unit42·2022-03-08
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
Yuval Avrahami
Published: March 8, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
## Executive Summary
In February 2021, Google announced Autopilot , a new mode of operation in Google Kubernetes Engine (GKE). With Autopilot, Google provides a "hands-off" Kubernetes experience, managing cluster infrastructure for the customer. The platform automatically provisions and removes nodes based on resource consumption and enforces secure Kubernetes best practices out of the box.
In June 2021, Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google. Users able to create a po
Unit42
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
blogs_unit42·2022-03-08
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
## Executive Summary
In February 2021, Google announced Autopilot, a new mode of operation in Google Kubernetes Engine (GKE). With Autopilot, Google provides a "hands-off" Kubernetes experience, managing cluster infrastructure for the customer. The platform automatically provisions and removes nodes based on resource consumption and enforces secure Kubernetes best practices out of the box.
In June 2021, Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google. Users able to create a pod could have abused these to (1) escape their pod and compromise the underlying node, (2) escalate privileges and become full cluster administrators, and (3) covertly persist administrative access through backdoors that are completely invisible to cluster operat
Tenable
Infrastructure as Code Security Requires Programmatic Controls
blogs_tenable·2021-03-09
Infrastructure as Code Security Requires Programmatic Controls
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
blogs_unit42·2020-12-21·CVSS 6.3
CVE-2020-8554 [MEDIUM] Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
## Executive Summary
On Dec. 4, 2020, the Kubernetes Product Security Committee disclosed a new Kubernetes vulnerability assigned CVE-2020-8554. It is a medium severity issue affecting all Kubernetes versions and is currently unpatched. CVE-2020-8554 is a design flaw that allows Kubernetes Services to intercept cluster traffic to any IP address. Users who can manage services can exploit the vulnerability to carry out man-in-the-middle (MITM) attacks against pods and nodes in the cluster.
Adversaries may utilize MITM attacks to masquerade as internal or external endpoints, harvest credentials from network traffic, tamper with a victim’s data before sending it to its intended target or block communications with specific IPs altogether. Using encrypted protocols such as Transport Layer Secu
Unit42
Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
blogs_unit42·2020-12-21·CVSS 6.3
CVE-2020-8554 [MEDIUM] Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Yuval Avrahami
Published: December 21, 2020
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CVE-2020-8554
Kubernetes
## Executive Summary
On Dec. 4, 2020, the Kubernetes Product Security Committee disclosed a new Kubernetes vulnerability assigned CVE-2020-8554. It is a medium severity issue affecting all Kubernetes versions and is currently unpatched . CVE-2020-8554 is a design flaw that allows Kubernetes Services to intercept cluster traffic to any IP address. Users who can manage services can exploit the vulnerability to carry out man-in-the-middle (MITM) attacks against pods and nodes in the cluster.
Bugzilla
CVE-2020-8554 kubernetes: MITM using LoadBalancer or ExternalIPs
bugzilla·2020-10-23·CVSS 6.3
CVE-2020-8554 [MEDIUM] CVE-2020-8554 kubernetes: MITM using LoadBalancer or ExternalIPs
CVE-2020-8554 kubernetes: MITM using LoadBalancer or ExternalIPs
A security issue was discovered with Kubernetes affecting multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.
Discussion:
ExternalIP admission plugin prevents this from being exploited, added in OpenShift v1:
https://github.com/openshift/origin/commit/290ade01c6c27e835a2b9132fce839234fc4ea27
---
Acknowledgments:
Name: the Kubernetes Product Security Committee
Upstream: Etienne Champetier (Anevia)
---
Mitigation:
ExternalIP addresses ranges can be configured as described below. OCP 4 is secure by default, though cluster-admins can whitelist externalIP addresses as needed. OCP 3.11 can be secur
https://github.com/kubernetes/kubernetes/issues/97076https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3Ehttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://github.com/kubernetes/kubernetes/issues/97076https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3Ehttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.html
2021-01-21
Published