Unverified Ownership in github.com/kubernetes/api

CVE-2020-8554

github.com/kubernetes/api
github.com/Kubernetes/api
k8s.io/api

Medium

5/10

Summary

Kubernetes API server in all versions prior to 1.21.0-alpha.3 allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-283 - Unverified Ownership

The software does not properly verify that a critical resource is owned by the proper entity.

References

Advisory
Issue
Issue
Mail Thread
Pull request

Advisory Timeline

Published Jan 21, 2021

Unverified Ownership in github.com/kubernetes/api

CVE-2020-8554

Summary

CWE-283 - Unverified Ownership

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS