CVE-2020-8551 : The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Published 2020-03-27 15:15:13

Updated 2023-01-27 18:26:03

Source Kubernetes

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2020-8551

Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Kubernetes » Kubernetes
Versions from including (>=) 1.16.0 and up to, including, (<=) 1.16.6
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
Matching versions
Kubernetes » Kubernetes
Versions from including (>=) 1.15.0 and up to, including, (<=) 1.15.9
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
Matching versions
Kubernetes » Kubernetes
Versions from including (>=) 1.17.0 and up to, including, (<=) 1.17.2
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-8551

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 52 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-8551

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	AV:A/AC:L/Au:N/C:N/I:N/A:P	6.5	2.9	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
4.3	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	2.8	1.4	Kubernetes
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
6.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-8551

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)
CWE-789 Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Assigned by: jordan@liggitt.net (Secondary)

References for CVE-2020-8551

https://groups.google.com/forum/#!topic/kubernetes-security-announce/2UOlsba2g0s

[Security Advisory] CVE-2020-8551, CVE-2020-8552: Denial of service (Medium) - Google Groepen
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/kubernetes/kubernetes/issues/89377

CVE-2020-8551: Kubelet DoS via API · Issue #89377 · kubernetes/kubernetes · GitHub
Issue Tracking;Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20200413-0003/

April 2020 Kubernetes Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/

Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-8551

Products affected by CVE-2020-8551

Exploit prediction scoring system (EPSS) score for CVE-2020-8551

CVSS scores for CVE-2020-8551

CWE ids for CVE-2020-8551

References for CVE-2020-8551