Skip to content

Potential proxy IP restriction bypass in Kubernetes

Low severity GitHub Reviewed Published Feb 2, 2022 to the GitHub Advisory Database • Updated Feb 3, 2023

Package

gomod k8s.io/kubernetes (Go)

Affected versions

>= 1.21.0, < 1.21.1
>= 1.20.0, < 1.20.7
>= 1.19.0, < 1.19.11
< 1.18.19

Patched versions

1.21.1
1.20.7
1.19.11
1.18.19

Description

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

References

Published by the National Vulnerability Database Feb 1, 2022
Published to the GitHub Advisory Database Feb 2, 2022
Reviewed Feb 3, 2022
Last updated Feb 3, 2023

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2020-8562

GHSA ID

GHSA-qh36-44jv-c8xj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.