The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.7 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Affected Packages

Go k8s.io/apimachinery

Affected versions: 0 (fixed in 0.16.13)

Go k8s.io/apimachinery

Affected versions: 0.17.0 (fixed in 0.17.9)

Go k8s.io/apimachinery

Affected versions: 0.18.0 (fixed in 0.18.7)

Go k8s.io/kubernetes

Affected versions: 0 (fixed in 1.16.13)

Go k8s.io/kubernetes

Affected versions: 1.17.0 (fixed in 1.17.9)

Go k8s.io/kubernetes

Affected versions: 1.18.0 (fixed in 1.18.7)

Related CVEs

CVE-2020-8559

Key Information

GHSA ID

GHSA-33c5-9fx5-fvjm

Published

April 24, 2024 8:01 PM

Last Modified

May 20, 2024 10:08 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

k8s.io/apimachinery

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 17, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.