CVE-2020-8559

Summary

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetes1.6affected
KubernetesKubernetes1.7affected
KubernetesKubernetes1.8affected
KubernetesKubernetes1.9affected
KubernetesKubernetes1.10affected
KubernetesKubernetes1.11affected
KubernetesKubernetes1.12affected
KubernetesKubernetes1.13affected
KubernetesKubernetes1.14affected
KubernetesKubernetes1.15affected
KubernetesKubernetes1.16 <= 1.16.12affected
KubernetesKubernetes1.17 <= 1.17.8affected
KubernetesKubernetes1.18 <= 1.18.5affected

Weaknesses

  • CWE-601: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

ADP Enrichment

CVE Program Container

Additional References

References