CVEs-PoC/2020/CVE-2020-8562.md

### [CVE-2020-8562](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8562)
![](https://img.shields.io/static/v1?label=Product&message=Kubernetes&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%20v1.18.18%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-367%20Time-of-check%20Time-of-use%20(TOCTOU)%20Race%20Condition&color=brighgreen)

### Description

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/43622283/awesome-cloud-native-security
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Metarget/awesome-cloud-native-security
- https://github.com/adavarski/HomeLab-Proxmox-k8s-DevSecOps-playground
- https://github.com/adavarski/HomeLab-k8s-DevSecOps-playground
- https://github.com/atesemre/awesome-cloud-native-security