5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-8557

GHSA ID

GHSA-55qj-gj3x-jq9r

EPSS Score

0.3808%

CWE

CWE-400

Published

4/24/2024

Updated

6/10/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-8557

CVE-2020-8557: Denial of service in Kubernetes

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-8557

GHSA ID

GHSA-55qj-gj3x-jq9r

EPSS Score

0.3808%

CWE

CWE-400

Published

4/24/2024

Updated

6/10/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
k8s.io/kubernetes/pkg/kubelet	go	>= 1.1.0, < 1.16.13	1.16.13
k8s.io/kubernetes/pkg/kubelet	go	>= 1.17.0, < 1.17.9	1.17.9
k8s.io/kubernetes/pkg/kubelet	go	>= 1.18.0, < 1.18.6	1.18.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability root cause was the kubelet's failure to include pod /etc/hosts file in ephemeral storage calculations. The patch adds explicit handling for this file in podLocalEphemeralStorageUsage. The pre-patch version of this function lacked the critical 'os.Stat(etcHostsPath)' check and subsequent disk usage accounting shown in the diff, making it the clear vulnerable function. The eviction manager's modifications to pass etcHostsPath parameter and call pattern changes confirm this was the missing piece in storage calculation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Ku**rn*t*s ku**l*t *ompon*nt in v*rsions *.*-*.**.**, *.**.*-*.**.* *n* *.**.*-*.**.* *o not ***ount *or *isk us*** *y * po* w*i** writ*s to its own /*t*/*osts *il*. T** /*t*/*osts *il* mount** in * po* *y ku**l*t is not in*lu*** *y t** ku**l*t *

Reasoning

T** vuln*r**ility root **us* w*s t** ku**l*t's **ilur* to in*lu** po* `/*t*/*osts` *il* in *p**m*r*l stor*** **l*ul*tions. T** p*t** ***s *xpli*it **n*lin* *or t*is *il* in `po*Lo**l*p**m*r*lStor***Us***`. T** pr*-p*t** v*rsion o* t*is `*un*tion` l**

5.5

Basic Information

Concerned about an active attack path?

CVE-2020-8557: Denial of service in Kubernetes

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI