CVE-2020-8551: 
NixOS vulnerability analysis and mitigation

The Kubelet component in Kubernetes versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 was identified as vulnerable to a denial of service attack. The vulnerability, tracked as CVE-2020-8551, affects the kubelet API, including both the unauthenticated HTTP read-only API (typically served on port 10255) and the authenticated HTTPS API (typically served on port 10250). The vulnerability was reported by Henrik Schmidt and was publicly disclosed in March 2020 (Kubernetes Issue).

The vulnerability has been assigned a CVSS v3.0 score of 4.3 (Medium) with the vector string CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. This scoring indicates that the vulnerability requires adjacent network access, has low attack complexity, requires no privileges or user interaction, and can only affect availability with low impact (Kubernetes Issue, NetApp Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition in the affected Kubelet component. The attack affects the availability of the Kubelet API services, potentially disrupting container management and monitoring capabilities (NetApp Advisory).

The vulnerability has been fixed in Kubernetes versions v1.17.3, v1.16.7, and v1.15.10. Users are advised to upgrade to these or later versions to address the vulnerability. Additionally, organizations can mitigate the risk by limiting access to the Kubelet API (Kubernetes Issue).