CVE-2020-8555Server-Side Request Forgery in Kubernetes

CWE-918Server-Side Request ForgeryCWE-200Sensitive Information ExposureCWE-367Time-of-check Time-of-use (TOCTOU) Race Condition12 documents7 sources
Severity
6.3MEDIUMNVD
EPSS
8.6%
top 7.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
KubernetesK8s.io KubernetesFedoraproject Fedora
Timeline
PublishedJun 5
Latest updateAug 21

Description

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages4 packages

Gok8s.io/kubernetes1.18.01.18.1+3
CVEListV5kubernetes/kubernetes1.151.15.12+18
NVDkubernetes/kubernetes1.16.01.16.9+3
Debiankubernetes/kubernetes< 1.18.2-1+3

Also affects: Fedora 32

🔴Vulnerability Details

6
OSV
Server Side Request Forgery (SSRF) in Kubernetes in k8s.io/kubernetes2024-08-21
OSV
Server Side Request Forgery (SSRF) in Kubernetes2022-02-15
GHSA
Server Side Request Forgery (SSRF) in Kubernetes2022-02-15
GHSA
Potential proxy IP restriction bypass in Kubernetes2022-02-02
OSV
CVE-2020-8555: The Kubernetes kube-controller-manager in versions v12020-06-05

📋Vendor Advisories

3
Red Hat
kubernetes: Bypass of Kubernetes API Server proxy TOCTOU2021-05-04
Red Hat
kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information2020-06-01
Debian
CVE-2020-8555: kubernetes - The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to ...2020

💬Community

2
Bugzilla
CVE-2020-8555 origin: kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information [fedora-all]2020-06-01
Bugzilla
CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information2020-04-07
CVE-2020-8555 — Server-Side Request Forgery | cvebase