Lucene search

K
cveKubernetesCVE-2020-8562
HistoryFeb 01, 2022 - 11:15 a.m.

CVE-2020-8562

2022-02-0111:15:10
CWE-367
kubernetes
web.nvd.nist.gov
59
kubernetes
cve-2020-8562
security
network
bypass
mitigation
nvd

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

5

Confidence

Low

EPSS

0.001

Percentile

41.3%

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

Affected configurations

Nvd
Node
kuberneteskubernetesRange1.18.18
OR
kuberneteskubernetesRange1.19.01.19.10
OR
kuberneteskubernetesRange1.20.01.20.6
OR
kuberneteskubernetesMatch1.21.0
VendorProductVersionCPE
kuberneteskubernetescpe:/a:kubernetes:kubernetes::::
kuberneteskubernetes1.21.0cpe:/a:kubernetes:kubernetes:1.21.0:::

CNA Affected

[
  {
    "product": "Kubernetes",
    "vendor": "Kubernetes",
    "versions": [
      {
        "lessThanOrEqual": "v1.18.18",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of v1.18.18",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v1.19.10",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of v1.19.10",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v1.20.6",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of v1.20.6",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v1.21.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of v1.21.0",
        "versionType": "custom"
      }
    ]
  }
]

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

5

Confidence

Low

EPSS

0.001

Percentile

41.3%