#VU94655 Time-of-check Time-of-use (TOCTOU) Race Condition in Kubernetes - CVE-2020-8562

Cybersecurity Help s.r.o.

Published: 2024-07-23

Vulnerability identifier: #VU94655

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8562

CWE-ID: CWE-367

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Kubernetes
Server applications / Frameworks for developing and running applications

Vendor: Kubernetes

Description

The vulnerability allows a remote privileged user to gain access to potentially sensitive information.

The vulnerability exists due to a time-of-check time-of-use (TOCTOU) race condition flaw in the API Server proxy. A remote privileged user can send a specially-crafted request and exploit this vulnerability to gain access to private networks on the Kubernetes control plane components.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Kubernetes: 1.19.0 - 1.19.10, 1.20.0 - 1.20.6

External links
https://groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOY
https://github.com/kubernetes/kubernetes/issues/101493
https://security.netapp.com/advisory/ntap-20220225-0002/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM InfoSphere Information Server

Time-of-check time-of-use (TOCTOU) race condition in Kubernetes