CVE-2020-8555

{"id": "CVE-2020-8555", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "jordan@liggitt.net", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.8}]}, "published": "2020-06-05T17:15:11.640", "references": [{"url": "http://www.openwall.com/lists/oss-security/2020/06/01/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "jordan@liggitt.net"}, {"url": "http://www.openwall.com/lists/oss-security/2021/05/04/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "jordan@liggitt.net"}, {"url": "https://github.com/kubernetes/kubernetes/issues/91542", "tags": ["Third Party Advisory"], "source": "jordan@liggitt.net"}, {"url": "https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion", "tags": ["Mailing List", "Third Party Advisory"], "source": "jordan@liggitt.net"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/", "source": "jordan@liggitt.net"}, {"url": "https://security.netapp.com/advisory/ntap-20200724-0005/", "tags": ["Third Party Advisory"], "source": "jordan@liggitt.net"}, {"url": "http://www.openwall.com/lists/oss-security/2020/06/01/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2021/05/04/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/kubernetes/kubernetes/issues/91542", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20200724-0005/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "jordan@liggitt.net", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services)."}, {"lang": "es", "value": "El Kubernetes kube-controller-manager en las versiones v1.0-1.14, versiones anteriores a v1.15.12, v1.16.9, v1.17.5 y v1.18.0, son vulnerables a un ataque de tipo Server Side Request Forgery (SSRF) que permite que determinados usuarios autorizados pierdan hasta 500 bytes de informaci\u00f3n arbitraria de endpoints desprotegidos dentro de la red host del maestro (tales como los servicios link-local o loopback)"}], "lastModified": "2024-11-21T05:39:01.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BB84B14-8D71-4BEA-90FC-DB76F9A0F781", "versionEndExcluding": "1.15.11"}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "111CE2DC-82F8-4AF6-99B6-5BB847A18D95", "versionEndExcluding": "1.16.9", "versionStartIncluding": "1.16.0"}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D5D5658-D416-434A-BA64-74DA2A4F13E2", "versionEndExcluding": "1.17.5", "versionStartIncluding": "1.17.0"}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.18.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF65B08E-28BD-496F-88AE-CB7271BD7379"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956"}], "operator": "OR"}]}], "sourceIdentifier": "jordan@liggitt.net"}