CVE-2020-8562

Name of the Vulnerable Software and Affected Versions: Kubernetes versions prior to a fixed version (no specific fixed version mentioned)

Description: The issue concerns a mitigation attempt by Kubernetes to prevent proxied connections from accessing link-local or localhost networks. However, a user may be able to bypass the proxy IP restriction and access private networks on the control plane if a non-standard DNS server returns different non-cached responses. This can be exploited through various methods, including proxying on addresses outside the cluster, SSRF through fake nodes, and exploiting a TOCTOU vulnerability. The estimated number of potentially affected devices is not specified.

Recommendations: As a temporary workaround, consider disabling the kubectl proxy function until a patch is available. Restrict access to the Kubernetes API Server to minimize the risk of exploitation. Avoid using the status field in Pod manifests to proxy requests to arbitrary addresses. At the moment, there is no information about a newer version that contains a fix for this vulnerability.