Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 | Datadog Security Labs This article explains CVE-2020-8561, an unpatchable Kubernetes vulnerability that combines an SSRF vector via ValidatingWebhookConfiguration objects with the API server's profiling endpoints to escalate impact by exposing full responses. The exploit requires valid cluster credentials (typically cluster-admin) to change the API server log level and then trigger webhook-initiated requests to probe internal services. #CVE-2020-8561 #kube-apiserver

CVE-2020-8561 exploits an SSRF flaw in Kubernetes API server’s ValidatingWebhookConfiguration and profiling endpoints to expose full responses. Requires cluster-admin creds to escalate impact. #KubernetesSecurity #SSRF #CVE20208561