Cve-2020-8558

Kubernetes v1.18.3, v1.17.6, v1.16.10.

To mitigate CVE-2020-8558, organizations using affected versions of Kubernetes should: cve-2020-8558

This vulnerability was and assigned a CVSS v3 score of 5.9 (Medium) – later upgraded by some vendors to 7.5 due to practical exploitability in shared cluster environments. Kubernetes v1

If an immediate upgrade is not possible, you can manually apply an iptables rule to each node to reject external traffic destined for the localhost range: Though patched in mid-2020

# Connect to node's kubelet read-only port (default localhost-only) nc -v 10.44.0.1 10255

CVE-2020-8558 illustrates a subtle interaction between Kubernetes’ network proxy and Linux kernel routing behavior. Though patched in mid-2020, the vulnerability remains relevant as an example of how container isolation cannot rely solely on localhost binding. Cluster administrators must validate both route_localnet status and kube-proxy version, and adopt network policies to restrict pod-to-node IP traffic.