Alpine: multiple k3s packages: security update to 1.18.3.1-r0

medium Tenable Self-Hosted Container Security Plugin ID 405060

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9,
v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain
authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the
master's host network (such as link-local or loopback services). (CVE-2020-8555)

- A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows
malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious
container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other
containers, to redirect traffic to the malicious container. (CVE-2020-10749)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-10749

https://security.alpinelinux.org/vuln/CVE-2020-8555

Plugin Details

Severity: Medium

ID: 405060

Version: Revision 1.26

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 50.87

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-10749

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-8555

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/1/2020

Reference Information

CVE: CVE-2020-10749, CVE-2020-8555