CVE-2020-8562 is a Kubernetes API server proxy vulnerability caused by a time-of-check to time-of-use (TOCTOU) flaw in DNS resolution during user-driven proxied connections to Services, Pods, Nodes, or StorageClass service providers. As part of prior mitigations for proxy abuse and SSRF-like access to restricted destinations, Kubernetes resolves the target hostname once to validate that the returned IP is not in localhost (127.0.0.0/8) or link-local (169.254.0.0/16) space. Kubernetes then performs a second DNS resolution for the actual outbound connection, but that second result is not subject to the same validation. If an attacker can cause the two lookups to return different answers, such as via DNS rebinding or a non-standard DNS server returning uncached inconsistent responses, the attacker can bypass the proxy IP restriction and direct the API server proxy to otherwise blocked private destinations on the control plane network. The issue is considered architectural and has been described by Kubernetes as not fully remediable in code without breaking legitimate split-horizon DNS or dynamic-IP environments.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An unfixed Kubernetes architectural/design issue in the API server proxy involving a DNS TOCTOU race condition that can allow bypass of IP restrictions.
An unpatchable Kubernetes vulnerability that can allow attackers to bypass filters intended to prevent misuse of the API server proxy feature.
An unpatchable Kubernetes TOCTOU vulnerability in the API server proxy that enables bypass of SSRF protections via DNS rebinding.
A Kubernetes vulnerability involving bypass of security controls intended to mitigate SSRF attacks.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.