URL Redirection to Untrusted Site ('Open Redirect')

CVE-2020-8559

Medium

6.8/10

Summary

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. This issue affects the package github.com/kubernetes/apimachinery prior to 0.16.13, 0.17.x prior to 0.17.9, and 0.18.x prior to 0.18.6, 0.19.x prior to 0.19.0-rc.1 and 0.20.0-alpha.0 and the package github.com/kubernetes/kubernetes prior to 1.16.13, 1.17.x prior to 1.17.9, and 1.18.x prior to 1.18.6, 1.19.x prior to 1.19.0-rc.1 and 1.20.0-alpha.0

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-601 - Open Redirect

An open redirect attack employs a URL parameter, HTML refresh tags, or a DOM based location change to exploit the trust of a vulnerable domain to direct the users to a malicious website. The attack could lead to higher severity vulnerabilities such as unauthorized access control, account takeover, XSS, and more.

References

Advisory Timeline

Published Jul 22, 2020

URL Redirection to Untrusted Site ('Open Redirect')

CVE-2020-8559

Summary

CWE-601 - Open Redirect

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS