Cyber Resilience

CVE-2020-8554

MediumPublic PoCUpdated

Published: 21 January 2021

Published
21 January 2021
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.2478 96.3th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8554 is a medium-severity Unverified Ownership (CWE-283) vulnerability in Kubernetes Kubernetes. Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which…

more

is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

CWE(s)

Related Threats

Threat-Actor AttributionAI

SolarStorm Timeline: Details of the Software Supply-Chain Attack
APT29 (G0016)
SolarStorm Timeline: Details of the Software Supply-Chain Attack

Affected Assets

kubernetes
kubernetes
all versions
oracle
communications cloud native core network slice selection function
1.2.1
oracle
communications cloud native core policy
1.15.0
oracle
communications cloud native core service communication proxy
1.14.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References