CVE-2020-8558

MEDIUM

Kubelet and kube-proxy <1.16.10-1.18.3 - SSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8558. PoCs published by tabbysable, rhysemmas.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2020-8558, a Kubernetes vulnerability where kube-proxy's setting of `net.ipv4.conf.all.route_localnet=1` exposes localhost-bound services to network access. It includes a Dockerfile for testing and Python scripts for PoC, but the primary content is a thorough writeup explaining the root cause, impact, and mitigation strategies.

Description

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Exploits (2)

nomisec WRITEUP 43 stars
by tabbysable · poc
https://github.com/tabbysable/POC-2020-8558

The repository provides a detailed technical analysis of CVE-2020-8558, a Kubernetes vulnerability where kube-proxy's setting of `net.ipv4.conf.all.route_localnet=1` exposes localhost-bound services to network access. It includes a Dockerfile for testing and Python scripts for PoC, but the primary content is a thorough writeup explaining the root cause, impact, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes kube-proxy (versions prior to 1.18.4, 1.17.7, 1.16.11)
No auth needed
Prerequisites: Network access to a vulnerable Kubernetes node · Ability to send crafted packets (e.g., via raw sockets or CAP_NET_RAW capability)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by rhysemmas · poc
https://github.com/rhysemmas/martian-packets

This repository contains a functional Python-based exploit for CVE-2020-8558, which leverages martian packets to bypass kube-proxy firewall rules in Kubernetes. The exploit crafts raw TCP/IP packets to target the unauthenticated kube-apiserver on port 8080, creating a malicious pod as proof of exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kubernetes kube-proxy (versions affected by CVE-2020-8558)
No auth needed
Prerequisites: Access to a Kubernetes cluster with a vulnerable kube-proxy · Ability to deploy a pod with NET_RAW capabilities · Unauthenticated kube-apiserver accessible on port 8080
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Mitigation, Patch, Third Party Advisory x_refsource_confirm
https://github.com/kubernetes/kubernetes/issues/92315
Exploit, Mailing List, Mitigation, Third Party Advisory mailing-list x_refsource_mlist
https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200821-0001/

Scores

CVSS v3 5.4
EPSS 0.2015
EPSS Percentile 95.6%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-420
Status published
Products (2)
k8s.io/kubernetes 1.18.0 - 1.18.4Go
kubernetes/kubernetes 1.1.0 - 1.16.10
Published Jul 27, 2020
Tracked Since Feb 18, 2026