cbcvebase.
CVE-2020-8559
published 2020-07-22

CVE-2020-8559: The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied…

PriorityP335medium6.8CVSS 3.1
AVNACLPRHUIRSUCHIHAH
EPSS
6.10%
92.5th percentile
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
debiankubernetes< kubernetes 1.18.5-1 (bookworm)kubernetes 1.18.5-1 (bookworm)
k8s.ioapimachinery>= 0 < 0.16.130.16.13
k8s.ioapimachinery>= 0.17.0 < 0.17.90.17.9
k8s.ioapimachinery>= 0.18.0 < 0.18.7-rc.00.18.7-rc.0
k8s.ioapimachinery>= 0.18.0 < 0.18.70.18.7
k8s.iokubernetes>= 0 < 1.16.131.16.13
k8s.iokubernetes>= 1.17.0 < 1.17.91.17.9
k8s.iokubernetes>= 1.18.0 < 1.18.71.18.7
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes>= 0 < 1.18.5-11.18.5-1
kuberneteskubernetes>= 0 < 1.18.5-11.18.5-1
kuberneteskubernetes>= 0 < 1.18.5-11.18.5-1
kuberneteskubernetes>= 0 < 1.18.5-11.18.5-1
kuberneteskubernetes1.16 – 1.16.12
kuberneteskubernetes>= 1.16.0 < 1.16.131.16.13
kuberneteskubernetes1.17 – 1.17.8

Detection & IOCsextracted from sources · hover to see the quote

  • The attack vector involves an attacker intercepting requests to the Kubelet and sending a crafted redirect response that is followed by the kube-apiserver client using the original request's credentials, enabling privilege escalation from a compromised node to full cluster compromise.
  • Focus detection on unvalidated/unexpected HTTP redirect responses (3xx) returned by a Kubelet node during proxied upgrade requests (e.g., exec, attach, port-forward) handled by kube-apiserver, particularly where the redirect target differs from the expected node endpoint.
  • Monitor for kube-apiserver audit logs showing credential reuse across unexpected endpoints following a redirect from a Kubelet node — this may indicate exploitation where credentials are forwarded to attacker-controlled or unintended cluster endpoints.
  • ·No mitigation is known for this vulnerability; patching to fixed versions is the only remediation. Detection/monitoring is the only compensating control.
  • ·Deployments using heketi (Red Hat Gluster Storage 3) are not affected because heketi only uses Kubernetes client-side bits and does not use the kube-apiserver component.

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.