CVE-2020-8561: Externally Controlled Reference to a Resource in Another Sphere

September 21, 2021 (updated October 4, 2021)

A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs.

References

github.com/advisories/GHSA-74j8-88mm-7496
github.com/kubernetes/kubernetes/issues/104720
groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY
nvd.nist.gov/vuln/detail/CVE-2020-8561

Detect and mitigate CVE-2020-8561 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →