The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

Affected Packages

Go k8s.io/kubernetes

Affected versions: 1.15.0 (fixed in 1.15.10)

Go k8s.io/kubernetes

Affected versions: 1.16.0 (fixed in 1.16.6)

Go k8s.io/kubernetes

Affected versions: 1.17.0 (fixed in 1.17.2)

Related CVEs

CVE-2020-8551

Key Information

GHSA ID

GHSA-qhm4-jxv7-j9pq

Published

February 15, 2022 1:57 AM

Last Modified

January 27, 2023 9:42 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

k8s.io/kubernetes

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.