Man-in-the-Middle (MitM) Affecting package, versions <1.21.0-alpha.1



    Exploit Maturity Proof of concept
    Attack Complexity Low
Expand this section
5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 8 Dec 2020
  • disclosed 7 Dec 2020
  • credit Etienne Champetier of Anevia

How to fix?

Upgrade to version 1.21.0-alpha.1 or higher.

Overview is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Mitigations have been published:

  1. To restrict the use of external IPs we are providing an admission webhook container: The source code and deployment instructions are published at
  2. Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: