{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "prior to 1.18.4"}, {"status": "affected", "version": "prior to 1.17.7"}, {"status": "affected", "version": "prior to 1.16.11"}, {"status": "affected", "version": "1.15"}, {"status": "affected", "version": "1.14"}, {"status": "affected", "version": "1.13"}, {"status": "affected", "version": "1.12"}, {"status": "affected", "version": "1.11"}, {"status": "affected", "version": "1.10"}, {"status": "affected", "version": "1.9"}, {"status": "affected", "version": "1.8"}, {"status": "affected", "version": "1.7"}, {"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.5"}, {"status": "affected", "version": "1.4"}, {"status": "affected", "version": "1.3"}, {"status": "affected", "version": "1.2"}, {"status": "affected", "version": "1.1"}]}], "credits": [{"lang": "en", "value": "J\u00e1nos K\u00f6v\u00e9r, Ericsson"}, {"lang": "en", "value": "Additional impacts reported by Rory McCune, NCC Group and Yuval Avrahami and Ariel Zelivansky, Palo Alto Networks"}], "datePublic": "2020-04-18T00:00:00", "descriptions": [{"lang": "en", "value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-21T09:06:15", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/92315"}, {"name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/90259"], "discovery": "USER"}, "title": "Kubernetes node setting allows for neighboring hosts to bypass localhost boundary", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2020-04-18T00:00:00.000Z", "ID": "CVE-2020-8558", "STATE": "PUBLIC", "TITLE": "Kubernetes node setting allows for neighboring hosts to bypass localhost boundary"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_value": "prior to 1.18.4"}, {"version_value": "prior to 1.17.7"}, {"version_value": "prior to 1.16.11"}, {"version_value": "1.15"}, {"version_value": "1.14"}, {"version_value": "1.13"}, {"version_value": "1.12"}, {"version_value": "1.11"}, {"version_value": "1.10"}, {"version_value": "1.9"}, {"version_value": "1.8"}, {"version_value": "1.7"}, {"version_value": "1.6"}, {"version_value": "1.5"}, {"version_value": "1.4"}, {"version_value": "1.3"}, {"version_value": "1.2"}, {"version_value": "1.1"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "J\u00e1nos K\u00f6v\u00e9r, Ericsson"}, {"lang": "eng", "value": "Additional impacts reported by Rory McCune, NCC Group and Yuval Avrahami and Ariel Zelivansky, Palo Alto Networks"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-420 Unprotected Alternate Channel"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/92315", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/92315"}, {"name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary", "refsource": "MLIST", "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"}, {"name": "https://security.netapp.com/advisory/ntap-20200821-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"}]}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/90259"], "discovery": "USER"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.112Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/92315"}, {"name": "[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8558", "datePublished": "2020-07-27T19:55:19.321721Z", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-09-16T22:40:40.949Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "9586C74C-1239-4E96-89A6-F618D14EF889", "versionEndIncluding": "1.16.10", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7D0C82A-F13C-4D41-854D-51234D20873E", "versionEndIncluding": "1.17.6", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDA694A4-8EC3-47E1-A1F3-CF083D894371", "versionEndIncluding": "1.18.3", "versionStartIncluding": "1.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service."}, {"lang": "es", "value": "Se encontr\u00f3 que los componentes Kubelet y kube-proxy en las versiones 1.1.0-1.16.10, 1.17.0-1.17.6 y 1.18.0-1.18.3, contienen un problema de seguridad que permite a los hosts adyacentes alcanzar los servicios TCP y UDP vinculados a la versi\u00f3n 127.0.0.1, que se ejecutan en el nodo o en el espacio de nombres de red del nodo. Dicho servicio se considera generalmente que puede ser alcanzado solo por otros procesos en el mismo host, pero debido a esta defensa, podr\u00edan ser alcanzados por otros hosts en la misma LAN que el nodo o por contenedores que se ejecutan en el mismo nodo que el servicio"}], "id": "CVE-2020-8558", "lastModified": "2024-11-21T05:39:01.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-27T20:15:12.413", "references": [{"source": "jordan@liggitt.net", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/92315"}, {"source": "jordan@liggitt.net", "tags": ["Exploit", "Mailing List", "Mitigation", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/92315"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Mitigation", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200821-0001/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-420"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Ariel Zelivansky (Palo Alto Networks), J\u00e1nos K\u00f6v\u00e9r (Ericsson), Rory McCune (NCC Group), and Yuval Avrahami (Palo Alto Networks) as the original reporters.", "affected_release": [{"advisory": "RHSA-2020:2992", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-0:3.11.248-1.git.0.92ee8ac.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2020-07-27T00:00:00Z"}, {"advisory": "RHSA-2020:3183", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift-0:4.3.31-202007280738.p0.git.0.9884401.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-08-05T00:00:00Z"}, {"advisory": "RHSA-2020:3184", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift4/ose-hyperkube:v4.3.31-202007272153.p0", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-08-05T00:00:00Z"}, {"advisory": "RHSA-2020:2926", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift4/ose-hyperkube:v4.4.0-202007120152.p0", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-07-21T00:00:00Z"}, {"advisory": "RHSA-2020:2927", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift-0:4.4.0-202007090832.p0.git.0.bc32fb1.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-07-21T00:00:00Z"}, {"advisory": "RHSA-2020:2412", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift4/ose-hyperkube:v4.5.0-202007100518.p0", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-07-13T00:00:00Z"}, {"advisory": "RHSA-2020:2413", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-0:4.5.0-202007012112.p0.git.0.582d7fc.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-07-13T00:00:00Z"}], "bugzilla": {"description": "kubernetes: node localhost services reachable via martian packets", "id": "1843358", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-300", "details": ["The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.", "A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication."], "name": "CVE-2020-8558", "package_state": [{"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}], "public_date": "2020-07-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8558\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8558\nhttps://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE"], "statement": "OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.", "threat_severity": "Moderate"}