CVE-2020-8561
MEDIUMKubernetes API Server - Server-Side Request Forgery via Webhook Response Redirects
Title source: manualDescription
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs.
References (4)
Core 4
Core References
Mailing List, Mitigation x_refsource_misc
https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY
Mitigation, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/104720
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211014-0002/
Scores
CVSS v3
4.1
EPSS
0.0195
EPSS Percentile
77.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-441
CWE-610
Status
published
Products (4)
k8s.io/kubernetes
0 - 1.22.2Go
kubernetes/kubernetes
1.20.11
kubernetes/kubernetes
1.21.5
kubernetes/kubernetes
1.22.2
Published
Sep 20, 2021
Tracked Since
Feb 18, 2026