Kubernetes API Server acts as proxy for internal and external IPs
Severity
Unspecified
Description
Kubernetes API, versions 1.11.x prior to 1.11.6, 1.12.x prior to 1.12.4, contains an improper proxy. A remote authenticated user is able to send HTTP requests through the Kubernetes API server within the server's network.
Affected VMware Products and Versions
Severity is unspecified unless otherwise noted.
- Pivotal Container Service (PKS)
- versions 1.2.x prior to 1.2.5
Mitigation
Users of affected versions should apply the following mitigation:
- Pivotal recommends upgrading the following releases:
- Pivotal Container Service (PKS)
- Upgrade 1.2.x versions to 1.2.5 or greater
- Pivotal Container Service (PKS)
References
- https://www.cloudfoundry.org/blog/k8s-api-server-proxy
- https://github.com/kubernetes/kubernetes/pull/71980
History
2019-01-08: Initial vulnerability report published.