MEDIUM✓ PATCH🇬🇧 English

CVE-2020-8554

CVSS 6.3v3.1pub. 2021-01-21upd. 2026-06-01

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • Kubernetes

    APP
    Kubernetes
    wszystkie wersje
  • Oracle Communications Cloud Native Core Network Slice Selection Function

    APP
    Oracle
    1.2.1
  • Oracle Communications Cloud Native Core Policy

    APP
    Oracle
    1.15.0
  • Oracle Communications Cloud Native Core Service Communication Proxy

    APP
    Oracle
    1.14.0
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
Container
CWE
Referencje

Powiązane podatności

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...

CVE-2026-33519CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowa autoryzacja w Esri Portal for ArcGIS — obejście uprawnień

CVE-2025-57870CRITICAL10.0PL ✓ten sam produkt

SQL Injection w Esri ArcGIS Server — zdalny dostęp bez uwierzytelnienia