Man-in-the-Middle (MitM) Affecting Open this link in a new tab package, versions <1.21.0-alpha.1

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    8 Dec 2020

  • disclosed

    7 Dec 2020

  • credit

    Etienne Champetier of Anevia

How to fix?

Upgrade to version 1.21.0-alpha.1 or higher.

Overview is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Mitigations have been published:

  1. To restrict the use of external IPs we are providing an admission webhook container: The source code and deployment instructions are published at
  2. Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: