CVE-2020-8562
Description
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.21.0, <= 1.21.1 | — |
k8s.io/kubernetesGo | >= 1.20.0, <= 1.20.7 | — |
k8s.io/kubernetesGo | >= 1.19.0, <= 1.19.11 | — |
k8s.io/kubernetesGo | <= 1.18.19 | — |
Affected products
30cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*range: <=1.18.18
- cpe:2.3:a:kubernetes:kubernetes:1.21.0:*:*:*:*:*:*:*
- (no CPE)range: unspecified
- osv-coords27 versionspkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/kubernetes-dns-node-cache-1.17pkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 26 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.21.0, <= 1.21.1
- (no CPE)range: < 0.0.20250807T150727-1.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-qh36-44jv-c8xjghsaADVISORY
- github.com/kubernetes/kubernetes/issues/101493nvdIssue TrackingMitigationThird Party AdvisoryWEB
- groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOYnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2020-8562ghsaADVISORY
- security.netapp.com/advisory/ntap-20220225-0002/nvdThird Party Advisory
- github.com/kubernetes/kubernetes/issues/101493ghsaWEB
- kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cvesghsaWEB
- security.netapp.com/advisory/ntap-20220225-0002ghsaWEB
- kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/nvd
News mentions
0No linked articles in our index yet.