CVE-2020-8559 (Medium) detected in github.com/containerd/containerd/errdefs-v1.3.2

[mend-bolt-for-github[bot]]

CVE-2020-8559 - Medium Severity Vulnerability

Vulnerable Library - github.com/containerd/containerd/errdefs-v1.3.2

An open and reliable container runtime

Dependency Hierarchy: - github.com/docker/docker/api/types-v1.4.2-0.20191223123943-bbcabf69c81b (Root Library) - github.com/docker/docker/api/types/swarm-v1.4.2-0.20191223123943-bbcabf69c81b - github.com/docker/docker/api/types/network-v1.4.2-0.20191223123943-bbcabf69c81b - github.com/docker/docker/errdefs-v1.4.2-0.20191223123943-bbcabf69c81b - :x: **github.com/containerd/containerd/errdefs-v1.3.2** (Vulnerable Library)

Found in HEAD commit: 24d20cdadb424c61c6067a478b696b08056a9b3c

Vulnerability Details

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Publish Date: 2020-07-22

URL: CVE-2020-8559

CVSS 3 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/kubernetes/kubernetes/issues/92914

Release Date: 2020-07-21

Fix Resolution: v1.18.6,v1.17.9,v1.16.13

---

Step up your Open Source Security Game with WhiteSource here

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.