data/reports/GO-2024-2748.yaml - vulndb - Git at Google

 id: GO-2024-2748
 modules:
     - module: k8s.io/apimachinery
       versions:
         - fixed: 0.16.13
         - introduced: 0.17.0
           fixed: 0.17.9
         - introduced: 0.18.0
           fixed: 0.18.7-rc.0
       vulnerable_at: 0.18.6
       packages:
         - package: k8s.io/apimachinery/pkg/util/net
           symbols:
             - ConnectWithRedirects
         - package: k8s.io/apimachinery/pkg/util/proxy
           symbols:
             - UpgradeAwareHandler.tryUpgrade
           derived_symbols:
             - UpgradeAwareHandler.ServeHTTP
     - module: k8s.io/kubernetes
       versions:
         - fixed: 1.16.13
         - introduced: 1.17.0
           fixed: 1.17.9
         - introduced: 1.18.0
           fixed: 1.18.7
       vulnerable_at: 0.18.6
 summary: Privilege Escalation in Kubernetes in k8s.io/apimachinery
 description: |-
     The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on
     proxied upgrade requests that could allow an attacker to escalate privileges
     from a node compromise to a full cluster compromise.
 cves:
     - CVE-2020-8559
 ghsas:
     - GHSA-33c5-9fx5-fvjm
 references:
     - advisory: https://github.com/advisories/GHSA-33c5-9fx5-fvjm
     - web: https://bugzilla.redhat.com/show_bug.cgi?id=1851422
     - web: https://github.com/kubernetes/kubernetes/issues/92914
     - web: https://github.com/kubernetes/kubernetes/pull/92941
     - web: https://github.com/tdwyer/CVE-2020-8559
     - web: https://groups.google.com/d/msg/kubernetes-security-announce/JAIGG5yNROs/19nHQ5wkBwAJ
     - web: https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs
     - web: https://security.netapp.com/advisory/ntap-20200810-0004
 source:
     id: GHSA-33c5-9fx5-fvjm
     created: 2024-05-17T15:54:30.22341-04:00
 review_status: REVIEWED
	id: GO-2024-2748
	modules:
	- module: k8s.io/apimachinery
	versions:
	- fixed: 0.16.13
	- introduced: 0.17.0
	fixed: 0.17.9
	- introduced: 0.18.0
	fixed: 0.18.7-rc.0
	vulnerable_at: 0.18.6
	packages:
	- package: k8s.io/apimachinery/pkg/util/net
	symbols:
	- ConnectWithRedirects
	- package: k8s.io/apimachinery/pkg/util/proxy
	symbols:
	- UpgradeAwareHandler.tryUpgrade
	derived_symbols:
	- UpgradeAwareHandler.ServeHTTP
	- module: k8s.io/kubernetes
	versions:
	- fixed: 1.16.13
	- introduced: 1.17.0
	fixed: 1.17.9
	- introduced: 1.18.0
	fixed: 1.18.7
	vulnerable_at: 0.18.6
	summary: Privilege Escalation in Kubernetes in k8s.io/apimachinery
	description: \|-
	The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on
	proxied upgrade requests that could allow an attacker to escalate privileges
	from a node compromise to a full cluster compromise.
	cves:
	- CVE-2020-8559
	ghsas:
	- GHSA-33c5-9fx5-fvjm
	references:
	- advisory: https://github.com/advisories/GHSA-33c5-9fx5-fvjm
	- web: https://bugzilla.redhat.com/show_bug.cgi?id=1851422
	- web: https://github.com/kubernetes/kubernetes/issues/92914
	- web: https://github.com/kubernetes/kubernetes/pull/92941
	- web: https://github.com/tdwyer/CVE-2020-8559
	- web: https://groups.google.com/d/msg/kubernetes-security-announce/JAIGG5yNROs/19nHQ5wkBwAJ
	- web: https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs
	- web: https://security.netapp.com/advisory/ntap-20200810-0004
	source:
	id: GHSA-33c5-9fx5-fvjm
	created: 2024-05-17T15:54:30.22341-04:00
	review_status: REVIEWED