CVE-2020-8562
2.2 LOWAs mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or l...
Published: 2022-02-01 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 2.2 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-367
Affected products
| Vendor | Product |
|---|---|
| kubernetes | kubernetes |
Description
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2020-8562
- [Other]https://github.com/kubernetes/kubernetes/issues/101493
- [Other]https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOY
- [Other]https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/
- [Other]https://security.netapp.com/advisory/ntap-20220225-0002/
- [Other]https://github.com/kubernetes/kubernetes/issues/101493
- [Other]https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOY
- [Other]https://security.netapp.com/advisory/ntap-20220225-0002/
Related CVEs
Same vendor
- CVE-2026-4342 — A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx (8.8 HIGH)
- CVE-2021-25740 — A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not hav... (3.1 LOW)
- CVE-2020-8561 — A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhoo... (4.1 MEDIUM)
- CVE-2020-8554 — Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to ... (6.3 MEDIUM)
Same CWE
- CVE-2026-24067 — Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes ... (8.4 HIGH)
- CVE-2026-49958 — Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard functi... (5.0 MEDIUM)
- CVE-2026-45647 — Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges ... (5.5 MEDIUM)
- CVE-2026-45487 — Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate pri... (7.8 HIGH)
- CVE-2026-24065 — Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service (8.1 HIGH)