CVE-2020-8555
MEDIUMKubernetes <1.15.12, <1.16.9, <1.17.5, <1.18.0 - SSRF
Title source: llmDescription
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/06/01/4
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion
Third Party Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/91542
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200724-0005/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/04/8
Scores
CVSS v3
6.3
EPSS
0.0368
EPSS Percentile
88.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (4)
fedoraproject/fedora
32
k8s.io/kubernetes
1.18.0 - 1.18.1Go
kubernetes/kubernetes
1.18.0
kubernetes/kubernetes
< 1.15.11
Published
Jun 05, 2020
Tracked Since
Feb 18, 2026