CVE-2020-8555: 
Grafana vulnerability analysis and mitigation

A Server Side Request Forgery (SSRF) vulnerability was discovered in the Kubernetes kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network, such as link-local or loopback services. The vulnerability affects versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0. This issue has been rated as medium severity with a CVSS score of 6.3 (Kubernetes Issue, NVD).

The vulnerability allows an attacker with permissions to create pods with certain built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass to cause kube-controller-manager to make GET or POST requests without an attacker-controlled request body from the master's host network. The exploitation causes the kube-controller-manager to make a request to a user-supplied, unvalidated URL, though the request does not include any kube-controller-manager client credentials (Openwall List, Kubernetes Issue).

When successfully exploited, this vulnerability could lead to the disclosure of sensitive information from unprotected endpoints within the master's host network. This includes potential access to link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master's private network (Sysdig Blog, NetApp Advisory).

Prior to upgrading, the vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types through PodSecurityPolicy or third-party admission controllers such as Gatekeeper. Additionally, StorageClass write permissions should be restricted through RBAC. The vulnerability has been patched in versions v1.18.1+, v1.17.5+, v1.16.9+, and v1.15.12+ (Kubernetes Announce).