-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| k8s.io/apimachinery | go | < 0.16.13 | 0.16.13 |
| k8s.io/apimachinery | go | >= 0.17.0, < 0.17.9 | 0.17.9 |
| k8s.io/apimachinery |
| go |
| >= 0.18.0, < 0.18.7 |
| 0.18.7 |
| k8s.io/kubernetes | go | < 1.16.13 | 1.16.13 |
| k8s.io/kubernetes | go | >= 1.17.0, < 1.17.9 | 1.17.9 |
| k8s.io/kubernetes | go | >= 1.18.0, < 1.18.7 | 1.18.7 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper redirect validation in the kube-apiserver's proxy handling. The commit diff shows modifications in apimachinery's http.go redirect logic where hostname validation was strengthened. The original code allowed following redirects to different hosts when handling upgrade requests, which could be exploited by a compromised node to redirect API requests to attacker-controlled endpoints while preserving credentials. The PoC exploit demonstrates this by injecting malicious Location headers in Kubelet responses that get propagated by the vulnerable proxy logic.