{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"lessThan": "v1.17.3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "v1.16.7", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "v1.15.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Henrik Schmidt"}], "descriptions": [{"lang": "en", "value": "The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "description": "CWE-789 Uncontrolled Memory Allocation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-24T02:06:18", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/kubernetes/kubernetes/issues/89377"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/2UOlsba2g0s"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"}, {"name": "FEDORA-2020-aeea04cd13", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/89377"], "discovery": "EXTERNAL"}, "title": "Kubernetes kubelet denial of service", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "ID": "CVE-2020-8551", "STATE": "PUBLIC", "TITLE": "Kubernetes kubelet denial of service"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_affected": "<", "version_value": "v1.17.3"}, {"version_affected": "<", "version_value": "v1.16.7"}, {"version_affected": "<", "version_value": "v1.15.10"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Henrik Schmidt"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-789 Uncontrolled Memory Allocation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/89377", "refsource": "MISC", "url": "https://github.com/kubernetes/kubernetes/issues/89377"}, {"name": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s"}, {"name": "https://security.netapp.com/advisory/ntap-20200413-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"}, {"name": "FEDORA-2020-aeea04cd13", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"}]}, "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/89377"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:45.888Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/89377"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/2UOlsba2g0s"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"}, {"name": "FEDORA-2020-aeea04cd13", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8551", "datePublished": "2020-03-27T14:25:14", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-08-04T10:03:45.888Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "44ECF71D-7483-45B0-8BF5-92284C11696C", "versionEndIncluding": "1.15.9", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "02C07F21-ECB7-4BD2-85AF-C2BB24F175FF", "versionEndIncluding": "1.16.6", "versionStartIncluding": "1.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE0FF258-1EFA-4FF0-84C7-B2976BD70BD3", "versionEndIncluding": "1.17.2", "versionStartIncluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250."}, {"lang": "es", "value": "Se detect\u00f3 que el componente Kubelet en versiones 1.15.0-1.15.9, versiones 1.16.0-1.16.6 y versiones 1.17.0-1.17.2, es vulnerable a un ataque de denegaci\u00f3n de servicio por medio la API de kubelet, incluyendo la API de solo lectura HTTP no autenticada t\u00edpicamente servida en el puerto 10255, y la API HTTPS autenticada t\u00edpicamente servida en el puerto 10250."}], "id": "CVE-2020-8551", "lastModified": "2024-11-21T05:39:01.003", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-27T15:15:12.647", "references": [{"source": "jordan@liggitt.net", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/89377"}, {"source": "jordan@liggitt.net", "url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/2UOlsba2g0s"}, {"source": "jordan@liggitt.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/89377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21topic/kubernetes-security-announce/2UOlsba2g0s"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200413-0003/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:1276", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift-0:4.3.10-202003300855.git.0.da48c1d.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1277", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift4/ose-hyperkube:v4.3.10-202003311925", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-04-08T00:00:00Z"}], "bugzilla": {"description": "kubernetes: crafted requests to kubelet API allow for memory exhaustion", "id": "1816403", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816403"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.", "A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash."], "mitigation": {"lang": "en:us", "value": "Prevent unauthenticated or unauthorized access to the Kubelet API"}, "name": "CVE-2020-8551", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-hypershift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-openshift-apiserver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}], "public_date": "2020-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8551\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8551\nhttps://github.com/kubernetes/kubernetes/issues/89377\nhttps://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s"], "statement": "By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on earlier versions of Kubernetes which do not include metrics for the Kubelet HTTP server.", "threat_severity": "Moderate", "upstream_fix": "kubelet 1.17.3, kubelet 1.16.7, kubelet 1.15.10"}