{"id":"CVE-2020-8555","details":"The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).","aliases":["GHSA-x6mj-w4jf-jmgw","GO-2022-0890"],"modified":"2026-03-12T02:19:45.158285715Z","published":"2020-06-05T17:15:11.640Z","related":["CGA-rmpf-8rm4-w234","openSUSE-SU-2025:15424-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2020/06/01/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/05/04/8"},{"type":"ADVISORY","url":"https://github.com/kubernetes/kubernetes/issues/91542"},{"type":"ADVISORY","url":"https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200724-0005/"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2020/06/01/4"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2021/05/04/8"},{"type":"ARTICLE","url":"https://groups.google.com/d/topic/kubernetes-security-announce/kEK27tqqs30/discussion"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubelet","events":[{"introduced":"250a1838aa2c492c9096ff86558515b8639d7e87"},{"fixed":"1e368b138190f5b294cea43ad7f151787cb9f085"},{"introduced":"f9974c2baa2d9ca25416d38e7ecfc7ff4d05d58e"},{"fixed":"7587f9370af42806fe273d70bf8d4f3540224e23"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8555.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubernetes","events":[{"introduced":"0"},{"fixed":"d94a81c724ea8e1ccc9002d89b7fe81d58f89ede"},{"introduced":"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77"},{"fixed":"a17149e1a189050796ced469dbd78d380f2ed5ef"},{"introduced":"70132b0f130acc0bed193d9ba59dd186f0e634cf"},{"fixed":"e0fccafd69541e3750d460ba0f9743b90336f24f"}]}],"versions":["v1.16.0","v1.16.1","v1.16.1-beta.0","v1.16.2","v1.16.2-beta.0","v1.16.3","v1.16.3-beta.0","v1.16.4","v1.16.4-beta.0","v1.16.5","v1.16.5-beta.0","v1.16.5-beta.1","v1.16.6","v1.16.6-beta.0","v1.16.7","v1.16.7-beta.0","v1.16.8","v1.16.8-beta.0","v1.16.9-beta.0","v1.17.0","v1.17.1","v1.17.1-beta.0","v1.17.2","v1.17.2-beta.0","v1.17.3","v1.17.3-beta.0","v1.17.4","v1.17.4-beta.0","v1.17.5-beta.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8555.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"}]}