Vulnerability Report: GO-2024-2748

CVE-2020-8559, GHSA-33c5-9fx5-fvjm
Affects: k8s.io/apimachinery, k8s.io/kubernetes
Published: May 20, 2024

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-33c5-9fx5-fvjm.

Affected Modules

Path

Versions
k8s.io/kubernetes

before v1.16.13, from v1.17.0 before v1.17.9, from v1.18.0 before v1.18.7

Affected Packages

Path

Versions

Symbols
k8s.io/apimachinery/pkg/util/net

before v0.16.13, from v0.17.0 before v0.17.9, from v0.18.0 before v0.18.7-rc.0
- ConnectWithRedirects
k8s.io/apimachinery/pkg/util/proxy

before v0.16.13, from v0.17.0 before v0.17.9, from v0.18.0 before v0.18.7-rc.0
- UpgradeAwareHandler.ServeHTTP

Aliases

CVE-2020-8559
GHSA-33c5-9fx5-fvjm

References

https://github.com/advisories/GHSA-33c5-9fx5-fvjm
https://bugzilla.redhat.com/show_bug.cgi?id=1851422
https://github.com/kubernetes/kubernetes/issues/92914
https://github.com/kubernetes/kubernetes/pull/92941
https://github.com/tdwyer/CVE-2020-8559
https://groups.google.com/d/msg/kubernetes-security-announce/JAIGG5yNROs/19nHQ5wkBwAJ
https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs
https://security.netapp.com/advisory/ntap-20200810-0004
https://vuln.go.dev/ID/GO-2024-2748.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL