All errata/sisyphus/ALT-PU-2020-2299-2
ALT-PU-2020-2299-2

Package update kubernetes in branch sisyphus

Version1.18.5-alt1
Task#254354
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (4)

CVE-2020-8555
MEDIUM6.3

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

Published: 2020-06-05Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References
CVE-2020-8558
HIGH8.8

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Published: 2020-07-27Modified: 2024-11-21
CVSS 2.0MEDIUM 5.8
CVSS:2.0/AV:A/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-wqv3-8cm6-h6wg
HIGH8.8

Improper Authentication in Kubernetes

Published: 2022-02-15Modified: 2023-01-07
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-x6mj-w4jf-jmgw
MEDIUM6.3

Server Side Request Forgery (SSRF) in Kubernetes

Published: 2022-02-15Modified: 2023-09-19
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
References