CVE-2020-8559

MEDIUM

Kubernetes <v1.16.13,v1.17.9,v1.18.6 - Open Redirect

Title source: llm

Description

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Exploits (2)

nomisec WORKING POC 54 stars

by tdwyer · poc

https://github.com/tdwyer/CVE-2020-8559

View Code ZIP pw:eip

nomisec WORKING POC 20 stars

by tabbysable · poc

https://github.com/tabbysable/POC-2020-8559

View Code ZIP pw:eip

References (3)

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://github.com/kubernetes/kubernetes/issues/92914

[Exploit, Third Party Advisory] https://groups.google.com/d/msg/kubernetes-security-announce/JAIGG5yNROs/19nHQ5wkBwAJ

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200810-0004/

Scores

CVSS v3 6.4

EPSS 0.5120

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-601

Status published

Products (3)

k8s.io/apimachinery 0 - 0.16.13Go

k8s.io/kubernetes 0 - 1.16.13Go

kubernetes/kubernetes 1.6.0 - 1.15.0

Published Jul 22, 2020

Tracked Since Feb 18, 2026