CVE-2020-8554

 

Published at: - 21-01-2021 06:15

Last modified: - 12-05-2022 04:33

Total changes: - 13

Description

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

 

Verification logic

 

Reference

• N/A-Exploit, Third Party Advisory
• N/A-Mailing List, Third Party Advisory
• [druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554-Mailing List, Patch, Third Party Advisory
• [druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554-Mailing List, Patch, Third Party Advisory
• [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554-Mailing List, Patch, Third Party Advisory
• [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554-Mailing List, Patch, Third Party Advisory
• N/A-Patch, Third Party Advisory
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuapr2022.html

 

Keywords

NVD

 

CVE-2020-8554

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures