Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 1784603]
Created kubernetes:1.10/kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 1784604]
Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits.
Fixed in OpenShift 4.1.0:
OpenShift Container Platform 4 is not affected by this flaw as it has included the upstream patch since version 4.1.0.
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2020:5363 https://access.redhat.com/errata/RHSA-2020:5363
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):