cbcvebase.
CVE-2020-8554
published 2021-01-21

CVE-2020-8554: Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to…

PriorityP338medium5CVSS 3.1
AVNACHPRLUINSUCLILAL
EPSS
9.27%
94.7th percentile
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiankubernetes< kubernetes 1.31.4+ds-1 (forky)kubernetes 1.31.4+ds-1 (forky)
github.comcloudnativelabs_kube-router_v2>= 0 < 2.8.02.8.0
k8s.iokubernetes0 – 1.22.0
kuberneteskubernetes< **
kuberneteskubernetes>= 0 < 1.31.4+ds-11.31.4+ds-1
kuberneteskubernetes>= 0 < 1.31.4+ds-11.31.4+ds-1
msrcazl3_kubernetes_1.28.3-2_on_azure_linux_3.0
msrcazl3_kubernetes_1.30.10-7_on_azure_linux_3.0
msrcazl3_python-kubernetes_21.7.0-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_kubernetes_1.28.3-1_on_cbl_mariner_2.0
msrccbl2_python-kubernetes_21.7.0-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_kubernetes_1.22.4-2_on_cbl_mariner_1.0
oraclecommunications_cloud_native_core_network_slice_selection_function
oraclecommunications_cloud_native_core_policy
oraclecommunications_cloud_native_core_service_communication_proxy

CVSS provenance

nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_debian6.3LOW
vendor_redhat6.3MEDIUM
vendor_msrc5.0MEDIUM
vendor_oracle5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.