CVE-2020-8555

Summary

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetes1.18.0affected
KubernetesKubernetes1.1affected
KubernetesKubernetes1.2affected
KubernetesKubernetes1.3affected
KubernetesKubernetes1.4affected
KubernetesKubernetes1.5affected
KubernetesKubernetes1.6affected
KubernetesKubernetes1.7affected
KubernetesKubernetes1.8affected
KubernetesKubernetes1.9affected
KubernetesKubernetes1.10affected
KubernetesKubernetes1.11affected
KubernetesKubernetes1.12affected
KubernetesKubernetes1.13affected
KubernetesKubernetes1.14affected
KubernetesKubernetes1.15 < 1.15.12affected
KubernetesKubernetes1.16 < 1.16.9affected
KubernetesKubernetes1.17 < 1.17.5affected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)

Workarounds

Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.

ADP Enrichment

CVE Program Container

Additional References

References