CVE-2020-8562
published 2022-02-01CVE-2020-8562: As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when…
PriorityP412low3.1CVSS 3.1
AVNACHPRLUINSUCLINAN
EPSS
1.08%
61.0th percentile
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | 0 – 1.18.19 | — |
| k8s.io | kubernetes | 1.19.0 – 1.19.11 | — |
| k8s.io | kubernetes | 1.20.0 – 1.20.7 | — |
| k8s.io | kubernetes | 1.21.0 – 1.21.1 | — |
| kubernetes | kubernetes | <= 1.18.18 | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | 1.19.0 – 1.19.10 | — |
| kubernetes | kubernetes | 1.20.0 – 1.20.6 | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
ghsa6.3MEDIUM
osv6.3MEDIUM
vendor_debian6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: Bypass of Kubernetes API Server proxy TOCTOU
vendor_redhat·2021-05-04·CVSS 6.3
CVE-2020-8562 [MEDIUM] CWE-367 kubernetes: Bypass of Kubernetes API Server proxy TOCTOU
kubernetes: Bypass of Kubernetes API Server proxy TOCTOU
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
A security issue was discovered in Kubern
Debian
CVE-2020-8562: kubernetes - As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to p...
vendor_debian·2020·CVSS 6.3
CVE-2020-8562 [MEDIUM] CVE-2020-8562: kubernetes - As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to p...
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5
OSV
WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes
osv·2024-08-21
CVE-2020-8562 WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes
WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes
(This report has been withdrawn from the Go vulnerability database with reason: "Low severity issue with no fix available or planned. Likely to cause false positives.").
OSV
Potential proxy IP restriction bypass in Kubernetes
osv·2022-02-02·CVSS 6.3
CVE-2020-8562 [MEDIUM] Potential proxy IP restriction bypass in Kubernetes
Potential proxy IP restriction bypass in Kubernetes
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. All versions of Kubernetes are impacted, and th
GHSA
Potential proxy IP restriction bypass in Kubernetes
ghsa·2022-02-02·CVSS 6.3
CVE-2020-8562 [MEDIUM] CWE-367 Potential proxy IP restriction bypass in Kubernetes
Potential proxy IP restriction bypass in Kubernetes
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. All versions of Kubernetes are impacted, and th
OSV
CVE-2020-8562: As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost netw
osv·2022-02-01·CVSS 6.3
CVE-2020-8562 [MEDIUM] CVE-2020-8562: As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost netw
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/kubernetes/kubernetes/issues/101493https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOYhttps://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/https://security.netapp.com/advisory/ntap-20220225-0002/https://github.com/kubernetes/kubernetes/issues/101493https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOYhttps://security.netapp.com/advisory/ntap-20220225-0002/
2022-02-01
Published