CVE-2020-8555

Kubernetes kube-controller-manager SSRF

Description

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

Remediation

Workaround:

  • Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.

Category

6.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 16.51% Top 10%
Vendor Advisory fedoraproject.org
Affected: Kubernetes Kubernetes
Published at:
Updated at:

References

Link Tags
http://www.openwall.com/lists/oss-security/2020/06/01/4 third party advisory mailing list
https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion third party advisory mailing list
https://github.com/kubernetes/kubernetes/issues/91542 third party advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/ vendor advisory
https://security.netapp.com/advisory/ntap-20200724-0005/ third party advisory
http://www.openwall.com/lists/oss-security/2021/05/04/8 third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2020-8555?
CVE-2020-8555 has been scored as a medium severity vulnerability.
How to fix CVE-2020-8555?
As a workaround for remediating CVE-2020-8555: Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.
Is CVE-2020-8555 being actively exploited in the wild?
It is possible that CVE-2020-8555 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~17% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-8555?
CVE-2020-8555 affects Kubernetes Kubernetes.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.