Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Affected Packages

Go k8s.io/kubernetes

Affected versions: 0 (last affected: 1.22.0)

Related CVEs

CVE-2020-8554

Key Information

GHSA ID

GHSA-j9wf-vvm6-4r9w

Published

February 8, 2022 9:50 PM

Last Modified

October 31, 2022 3:56 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

k8s.io/kubernetes

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 14, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.