{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"lessThan": "*", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "value": "QiQi Xu"}], "datePublic": "2021-09-15T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-441", "description": "CWE-441 Unintended Proxy or Intermediary", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2026-06-01T21:45:29.198Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kubernetes/kubernetes/issues/104720"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20211014-0002/"}], "source": {"defect": ["https://github.com/kubernetes/kubernetes/issues/104720"], "discovery": "EXTERNAL"}, "title": "Webhook redirect in kube-apiserver", "x_generator": {"engine": "Vulnogram 0.0.9"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.267Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/104720"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20211014-0002/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8561", "datePublished": "2021-09-20T17:05:16.328Z", "dateReserved": "2020-02-03T00:00:00.000Z", "dateUpdated": "2026-06-01T21:45:29.198Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.20.11:-:*:*:*:*:*:*", "matchCriteriaId": "1E602175-D34A-44F2-88CD-C0D2C5D240EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.21.5:-:*:*:*:*:*:*", "matchCriteriaId": "0CBB908A-7235-4F5A-AD59-9E11B77A4CA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:1.22.2:-:*:*:*:*:*:*", "matchCriteriaId": "8A1DF02D-B561-445F-8262-3A9F6762CBC3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs."}, {"lang": "es", "value": "Se ha detectado un problema de seguridad en Kubernetes donde los actores que controlan las respuestas de las peticiones MutatingWebhookConfiguration o ValidatingWebhookConfiguration son capaces de redirigir las peticiones de kube-apiserver a redes privadas del apiserver. Si ese usuario puede visualizar los registros de kube-apiserver cuando el nivel de registro se establece en 10, puede visualizar las respuestas redirigidas y los encabezados en los registros"}], "id": "CVE-2020-8561", "lastModified": "2026-06-01T23:16:14.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-20T17:15:08.187", "references": [{"source": "jordan@liggitt.net", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/104720"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Mitigation"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY"}, {"source": "jordan@liggitt.net", "url": "https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211014-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/104720"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211014-0002/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-441"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-610"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kubernetes: Webhook redirect in kube-apiserver", "id": "2000366", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000366"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-601", "details": ["A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs.", "A flaw was found in Kubernetes. This flaw allows an actor that controls the responses of the MutatingWebhookConfiguration or the ValidatingWebhookConfiguration requests to redirect kube-apiserver requests to the private network of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs, potentially revealing sensitive information in its responses."], "name": "CVE-2020-8561", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8561\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8561\nhttps://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY"], "statement": "OpenShift Container Platform 4 does not support logging levels higher than 8 in the kube-apiserver (via the 'TraceAll' option), thereby making it not affected by this vulnerability.\nhttps://docs.openshift.com/container-platform/4.8/rest_api/operator_apis/kubeapiserver-operator-openshift-io-v1.html\nhttps://github.com/openshift/api/blob/release-4.8/operator/v1/types.go#L103", "threat_severity": "Moderate"}

{}