CVE-2020-8561: 
CBL Mariner vulnerability analysis and mitigation

A security issue (CVE-2020-8561) was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. The vulnerability was rated Medium with a CVSS score of 4.1 and affects all known versions of kube-apiserver (Kubernetes Issue, NVD).

The vulnerability is related to webhook configurations in Kubernetes and has been assigned a CVSS v3.1 Base Score of 4.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N. The issue specifically occurs when the --profiling flag is enabled on the kube-apiserver and actors who control a validating or mutating webhook can access the kube-apiserver process logs (Kubernetes Issue).

The successful exploitation of this vulnerability could lead to the disclosure of sensitive information. Specifically, if an attacker can control webhook responses and access kube-apiserver logs with high log levels, they can view redirected responses and headers in the logs, potentially exposing sensitive information from private networks (NetApp Advisory).

The vulnerability can be mitigated by: 1) not allowing kube-apiserver access to sensitive resources or networks, 2) reducing the '-v' flag value to less than 10, and 3) setting the '--profiling' flag value to 'false' (default value is 'true'). Setting the profiling flag to 'false' prevents users from dynamically modifying the kube-apiserver log level. While webhook requests may still be redirected to private networks with a log level less than 10, the response body will not be logged (Kubernetes Issue).