CVE-2020-8558

Aliases:GHSA-wqv3-8cm6-h6wgGO-2022-0885

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2020-8558 OPENSUSE-SU-2025:15424-1 RHSA-2020:2413 RHSA-2020:2927 RHSA-2020:2992 RHSA-2020:3183

Modified

Published: 27 Jul 2020, 19:55

Last modified:16 Sept 2024, 22:40

Vulnerability Summary

Overall Risk (default)

medium

49/100

CVSS Score

8.8 HIGH

v3.1 (nvd)

EPSS Score

20.15% HIGH

20% probability -5.00%

KEV

Not listed

Ransomware

No reports

Public exploits

2 found

Dark Web

Not detected

Timeline

27 Jul 2020, 19:55

Published

Vulnerability first disclosed

16 Sept 2024, 22:40

Last Modified

Vulnerability information updated

Description

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

CVSS Metrics

v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
v3.1•HIGH•Score: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 5.8AV:A/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 20.15%• Percentile: 96%

Techniques & Countermeasures

CWE-420•Unprotected Alternate Channel
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

Affected Systems

k8s.io•kubernetes
≥ 1.17.0, < 1.17.7 | < 1.16.11 | ≥ 1.18.0, < 1.18.4
kubernetes•kubernetes
≥ 1.1.0, ≤ 1.16.10 | ≥ 1.17.0, ≤ 1.17.6 | ≥ 1.18.0, ≤ 1.18.3 | prior to 1.18.4 | prior to 1.17.7 | prior to 1.16.11 | 1.15 | 1.14 | 1.13 | 1.12 | 1.11 | 1.10 | 1.9 | 1.8 | 1.7 | 1.6 | 1.5 | 1.4 | 1.3 | 1.2 | 1.1