Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: kubernetes
Published: 2021-01-21T17:09:21.169393Z
Updated: 2024-09-17T00:40:57.713Z
Reserved: 2020-02-03T00:00:00
Link: CVE-2020-8554
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-01-21T17:15:13.843
Modified: 2024-11-21T05:39:01.370
Link: CVE-2020-8554
Redhat