Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2021-01-21T17:09:21.169393Z

Updated: 2024-09-17T00:40:57.713Z

Reserved: 2020-02-03T00:00:00

Link: CVE-2020-8554

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-01-21T17:15:13.843

Modified: 2024-11-21T05:39:01.370

Link: CVE-2020-8554

cve-icon Redhat

Severity : Moderate

Publid Date: 2020-12-07T00:00:00Z

Links: CVE-2020-8554 - Bugzilla