CVE-2020-8559 — Open Redirect in Kubernetes

CWE-601 — Open Redirect10 documents7 sources

Severity

6.8MEDIUMNVD

CNA6.4

EPSS

51.2%

top 2.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Apimachinery K8s.io Kubernetes

Timeline

PublishedJul 22

Latest updateMay 20

Description

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages5 packages

▶Gok8s.io/kubernetes1.17.0 — 1.17.9+2

▶NVDkubernetes/kubernetes1.16.0 — 1.16.13+3

▶Debiankubernetes/kubernetes< 1.18.5-1+3

▶CVEListV5kubernetes/kubernetes1.16 — 1.16.12+12

▶Gok8s.io/apimachinery0.17.0 — 0.17.9+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Privilege Escalation in Kubernetes in k8s.io/apimachinery↗2024-05-20

▶

GHSA

Privilege Escalation in Kubernetes↗2024-04-24

▶

OSV

Privilege Escalation in Kubernetes↗2024-04-24

▶

CVEList

Privilege escalation from compromised node to cluster↗2020-07-22

▶

OSV

CVE-2020-8559: The Kubernetes kube-apiserver in versions v1↗2020-07-22

▶

📋Vendor Advisories

Red Hat

kubernetes: compromised node could escalate to cluster level privileges↗2020-07-15

▶

Debian

CVE-2020-8559: kubernetes - The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.1...↗2020

▶

💬Community

Bugzilla

CVE-2020-8559 origin: kubernetes: compromised node could escalate to cluster level privileges [fedora-all]↗2020-07-15

▶

Bugzilla

CVE-2020-8559 kubernetes: compromised node could escalate to cluster level privileges↗2020-06-26

▶