As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. All versions of Kubernetes are impacted, and there is no fix in place.

Affected Packages

Go k8s.io/kubernetes

Affected versions: 1.21.0 (last affected: 1.21.1)

Go k8s.io/kubernetes

Affected versions: 1.20.0 (last affected: 1.20.7)

Go k8s.io/kubernetes

Affected versions: 1.19.0 (last affected: 1.19.11)

Go k8s.io/kubernetes

Affected versions: 0 (last affected: 1.18.19)

Related CVEs

CVE-2020-8562

Key Information

GHSA ID

GHSA-qh36-44jv-c8xj

Published

February 2, 2022 12:01 AM

Last Modified

August 6, 2024 11:53 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

k8s.io/kubernetes

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.