gsd-2020-8558
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-8558",
"description": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.",
"id": "GSD-2020-8558",
"references": [
"https://www.suse.com/security/cve/CVE-2020-8558.html",
"https://access.redhat.com/errata/RHSA-2020:3184",
"https://access.redhat.com/errata/RHSA-2020:3183",
"https://access.redhat.com/errata/RHSA-2020:2992",
"https://access.redhat.com/errata/RHSA-2020:2927",
"https://access.redhat.com/errata/RHSA-2020:2926",
"https://access.redhat.com/errata/RHSA-2020:2413",
"https://access.redhat.com/errata/RHSA-2020:2412"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-8558"
],
"details": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.",
"id": "GSD-2020-8558",
"modified": "2023-12-13T01:21:54.061105Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2020-04-18T00:00:00.000Z",
"ID": "CVE-2020-8558",
"STATE": "PUBLIC",
"TITLE": "Kubernetes node setting allows for neighboring hosts to bypass localhost boundary"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes",
"version": {
"version_data": [
{
"version_value": "prior to 1.18.4"
},
{
"version_value": "prior to 1.17.7"
},
{
"version_value": "prior to 1.16.11"
},
{
"version_value": "1.15"
},
{
"version_value": "1.14"
},
{
"version_value": "1.13"
},
{
"version_value": "1.12"
},
{
"version_value": "1.11"
},
{
"version_value": "1.10"
},
{
"version_value": "1.9"
},
{
"version_value": "1.8"
},
{
"version_value": "1.7"
},
{
"version_value": "1.6"
},
{
"version_value": "1.5"
},
{
"version_value": "1.4"
},
{
"version_value": "1.3"
},
{
"version_value": "1.2"
},
{
"version_value": "1.1"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "J\u00e1nos K\u00f6v\u00e9r, Ericsson"
},
{
"lang": "eng",
"value": "Additional impacts reported by Rory McCune, NCC Group and Yuval Avrahami and Ariel Zelivansky, Palo Alto Networks"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-420 Unprotected Alternate Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/kubernetes/kubernetes/issues/92315",
"refsource": "CONFIRM",
"url": "https://github.com/kubernetes/kubernetes/issues/92315"
},
{
"name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary",
"refsource": "MLIST",
"url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200821-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200821-0001/"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes/kubernetes/issues/90259"
],
"discovery": "USER"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=v1.1.0 \u003c=v1.16.10 || \u003e=v1.17.0 \u003c=v1.17.6 || \u003e=v1.18.0 \u003c=v1.18.3",
"affected_versions": "All versions starting from 1.1.0 up to 1.16.10, all versions starting from 1.17.0 up to 1.17.6, all versions starting from 1.18.0 up to 1.18.3",
"cvss_v2": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2020-07-29",
"description": "kube-proxy was found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to localhost running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.",
"fixed_versions": [
"v1.16.11-rc.0",
"v1.17.7-rc.0",
"v1.18.4-rc.0"
],
"identifier": "CVE-2020-8558",
"identifiers": [
"CVE-2020-8558"
],
"not_impacted": "All versions before 1.1.0, all versions after 1.16.10 before 1.17.0, all versions after 1.17.6 before 1.18.0, all versions after 1.18.3",
"package_slug": "go/github.com/kubernetes/kube-proxy",
"pubdate": "2020-07-27",
"solution": "Upgrade to versions 1.16.11-rc.0, 1.17.7-rc.0, 1.18.4-rc.0 or above. *Note*: 1.16.11-rc.0, 1.17.7-rc.0, and 1.18.4-rc.0 may be unstable versions. Use caution.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
],
"uuid": "e034728e-a601-4cc8-ab9e-827eff833d3d",
"versions": [
{
"commit": {
"sha": "d583f27844a826ea8072afa128a53fb0dd307869",
"tags": [
"kubernetes-1.17.0"
],
"timestamp": "20191211002955"
},
"number": "v1.17.0"
},
{
"commit": {
"sha": "438b3b615bc7fc779a5506907190e8b4ab3bc603",
"tags": [
"kubernetes-1.18.0"
],
"timestamp": "20200326041814"
},
"number": "v1.18.0"
},
{
"commit": {
"sha": "09b556687fc56a06ae0f4d8fec50924a2fef31d3",
"tags": [
"kubernetes-1.18.3"
],
"timestamp": "20200520190351"
},
"number": "v1.18.3"
},
{
"commit": {
"sha": "68a6d9a50866b2268da7e85687fd84b5bb3ada96",
"tags": [
"kubernetes-1.18.4-rc.0"
],
"timestamp": "20200520190353"
},
"number": "v1.18.4-rc.0"
},
{
"commit": {
"sha": "2dabf1cc08b41cb9ad6497bdf1ee98e7d786ee91",
"tags": [
"kubernetes-1.16.11-rc.0"
],
"timestamp": "20200520231615"
},
"number": "v1.16.11-rc.0"
},
{
"commit": {
"sha": "6bea618f8b7a6c1e2a6ac79904d9c668137c1051",
"tags": [
"kubernetes-1.16.10"
],
"timestamp": "20200520231618"
},
"number": "v1.16.10"
},
{
"commit": {
"sha": "c9de960a3a11f0363ac1c0162f574ad2b1678183",
"tags": [
"kubernetes-1.17.6"
],
"timestamp": "20200520231706"
},
"number": "v1.17.6"
},
{
"commit": {
"sha": "09ae2e434c1267e96e798c84be7dcc04c0b17b52",
"tags": [
"kubernetes-1.17.7-rc.0"
],
"timestamp": "20200520231708"
},
"number": "v1.17.7-rc.0"
}
]
},
{
"affected_range": "\u003e=1.18.0 \u003c1.18.4||\u003e=1.17.0 \u003c1.17.7||\u003c1.16.11",
"affected_versions": "All versions starting from 1.18.0 before 1.18.4, all versions starting from 1.17.0 before 1.17.7, all versions before 1.16.11",
"cvss_v2": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2022-04-12",
"description": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.",
"fixed_versions": [
"1.18.4",
"1.16.11",
"1.16.11"
],
"identifier": "CVE-2020-8558",
"identifiers": [
"GHSA-wqv3-8cm6-h6wg",
"CVE-2020-8558"
],
"not_impacted": "All versions before 1.18.0, all versions starting from 1.18.4, all versions before 1.17.0, all versions starting from 1.16.11 before 1.17.7",
"package_slug": "go/k8s.io/kube-proxy",
"pubdate": "2022-02-15",
"solution": "Upgrade to versions 1.18.4, 1.16.11, 1.16.11 or above.",
"title": "Improper Authentication",
"urls": [
"https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-wqv3-8cm6-h6wg",
"https://nvd.nist.gov/vuln/detail/CVE-2020-8558",
"https://github.com/kubernetes/kubernetes/issues/92315",
"https://bugzilla.redhat.com/show_bug.cgi?id=1843358",
"https://github.com/tabbysable/POC-2020-8558",
"https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ",
"https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE",
"https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation",
"https://security.netapp.com/advisory/ntap-20200821-0001/",
"https://github.com/advisories/GHSA-wqv3-8cm6-h6wg"
],
"uuid": "457f0565-501f-412f-8332-a24147087eae"
},
{
"affected_range": "\u003c1.16.11||\u003e=1.17.0 \u003c1.17.7||\u003e=1.18.0 \u003c1.18.4",
"affected_versions": "All versions before 1.16.11, all versions starting from 1.17.0 before 1.17.7, all versions starting from 1.18.0 before 1.18.4",
"cvss_v2": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-01-06",
"description": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.",
"fixed_versions": [
"1.17.7",
"1.18.4",
"1.16.11"
],
"identifier": "CVE-2020-8558",
"identifiers": [
"GHSA-wqv3-8cm6-h6wg",
"CVE-2020-8558"
],
"not_impacted": "All versions starting from 1.16.11 before 1.17.0, all versions starting from 1.17.7 before 1.18.0, all versions starting from 1.18.4",
"package_slug": "go/k8s.io/kubernetes",
"pubdate": "2022-02-15",
"solution": "Upgrade to versions 1.17.7, 1.18.4, 1.16.11 or above.",
"title": "Improper Authentication in Kubernetes",
"urls": [
"https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-wqv3-8cm6-h6wg",
"https://nvd.nist.gov/vuln/detail/CVE-2020-8558",
"https://github.com/kubernetes/kubernetes/issues/92315",
"https://bugzilla.redhat.com/show_bug.cgi?id=1843358",
"https://github.com/tabbysable/POC-2020-8558",
"https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ",
"https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE",
"https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation",
"https://security.netapp.com/advisory/ntap-20200821-0001/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8558",
"https://www.openwall.com/lists/oss-security/2020/07/08/1",
"https://github.com/advisories/GHSA-wqv3-8cm6-h6wg"
],
"uuid": "b45127b8-fd26-4e9c-a53e-81e8e41b05f3"
},
{
"affected_range": "\u003e=1.1.0 \u003c=1.16.10||\u003e=1.17.0 \u003c=1.17.6||\u003e=1.18.0 \u003c=1.18.3",
"affected_versions": "All versions starting from 1.1.0 up to 1.16.10, all versions starting from 1.17.0 up to 1.17.6, all versions starting from 1.18.0 up to 1.18.3",
"cvss_v2": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2020-08-21",
"description": "The Kubelet and kube-proxy components were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.",
"fixed_versions": [
"1.16.11",
"1.17.7",
"1.18.4"
],
"identifier": "CVE-2020-8558",
"identifiers": [
"CVE-2020-8558"
],
"not_impacted": "All versions starting from 1.16.11 before 1.17.6, all versions starting from 1.17.7 before 1.18.3, all versions starting from 1.18.4",
"package_slug": "go/k8s.io/kubernetes/pkg/apis/apps/validation",
"pubdate": "2020-07-27",
"solution": "Upgrade to version 1.16.11, 1.17.7, 1.18.4 or above.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
],
"uuid": "29831df3-8f66-4a00-84f2-eef73ba403e1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.17.6",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.18.3",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.16.10",
"versionStartIncluding": "1.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"ID": "CVE-2020-8558"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node\u0027s network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/kubernetes/kubernetes/issues/92315",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kubernetes/kubernetes/issues/92315"
},
{
"name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary",
"refsource": "MLIST",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200821-0001/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200821-0001/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-09-20T17:17Z",
"publishedDate": "2020-07-27T20:15Z"
}
}
}
Loading...