728596 – (CVE-2020-8555) sys-cluster/kube-controller-manager: SSRF allowing information leak (CVE-2020-8555)

Bug 728596 (CVE-2020-8555) - sys-cluster/kube-controller-manager: SSRF allowing information leak (CVE-2020-8555)

Summary: sys-cluster/kube-controller-manager: SSRF allowing information leak (CVE-2020...

Status:	RESOLVED FIXED

Alias:	CVE-2020-8555

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/kubernetes/kuberne...
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-06-17 23:13 UTC by Sam James
Modified:	2021-06-12 17:52 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-06-17 23:13:31 UTC

Description:
"The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services)."

Comment 1 Sam James archtester

2020-06-17 23:14:18 UTC

Hi William, please bump to 1.16.9, 1.17.5. Thanks!

Comment 2 William Hubbs gentoo-dev

2020-07-13 18:27:10 UTC

sys-cluster/kubernetes now has versions which are not vulnerable to
this.

Comment 3 John Helmert III archtester

2021-06-12 17:52:46 UTC

Thanks! Seems no stable versions were affected, so no GLSA. All done!