CVE-2021-25736
published 2023-10-30CVE-2021-25736: Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when…
PriorityP434medium6.3CVSS 3.1
AVNACHPRLUINSCCHINAN
EPSS
0.91%
55.4th percentile
Kube-proxy
on Windows can unintentionally forward traffic to local processes
listening on the same port (“spec.ports[*].port”) as a LoadBalancer
Service when the LoadBalancer controller
does not set the “status.loadBalancer.ingress[].ip” field. Clusters
where the LoadBalancer controller sets the
“status.loadBalancer.ingress[].ip” field are unaffected.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | — | — |
| k8s.io | kubernetes | >= 0 < 1.21 | 1.21 |
| k8s.io | kubernetes | >= 0 < 1.21.0 | 1.21.0 |
| kubernetes | kubernetes | <= v1.20.5 | — |
| kubernetes | kubernetes | >= 1.18.0 < 1.18.18 | 1.18.18 |
| kubernetes | kubernetes | >= 1.19.0 < 1.19.10 | 1.19.10 |
| kubernetes | kubernetes | >= 1.20.0 < 1.20.6 | 1.20.6 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
vendor_debian5.8LOW
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM
vendor_redhat·2021-05-10·CVSS 5.8
CVE-2021-25736 [MEDIUM] CWE-200 kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM
kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM
Kube-proxy
on Windows can unintentionally forward traffic to local processes
listening on the same port (“spec.ports[*].port”) as a LoadBalancer
Service when the LoadBalancer controller
does not set the “status.loadBalancer.ingress[].ip” field. Clusters
where the LoadBalancer controller sets the
“status.loadBalancer.ingress[].ip” field are unaffected.
A flaw was found in the Windows kube-proxy component. In a cloud environment that does not set the “.status.loadBalancer.ingress.ip” field in the LoadBalancer service status configuration (for example in AWS) the packets can be misrouted and reach an unintended destination.
Statement: Clusters where the Loa
Debian
CVE-2021-25736: kubernetes - Kube-proxy on Windows can unintentionally forward traffic to local processes l...
vendor_debian·2021·CVSS 5.8
CVE-2021-25736 [MEDIUM] CVE-2021-25736: kubernetes - Kube-proxy on Windows can unintentionally forward traffic to local processes l...
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes
osv·2024-08-21
CVE-2021-25736 Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes
Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes
Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes
GHSA
Kube-proxy may unintentionally forward traffic
ghsa·2023-10-30
CVE-2021-25736 [MEDIUM] Kube-proxy may unintentionally forward traffic
Kube-proxy may unintentionally forward traffic
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (`spec.ports[*].port`) as a LoadBalancer Service when the LoadBalancer controller does not set the `status.loadBalancer.ingress[].ip` field. Clusters
where the LoadBalancer controller sets the `status.loadBalancer.ingress[].ip` field are unaffected.
OSV
Kube-proxy may unintentionally forward traffic
osv·2023-10-30
CVE-2021-25736 [MEDIUM] Kube-proxy may unintentionally forward traffic
Kube-proxy may unintentionally forward traffic
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (`spec.ports[*].port`) as a LoadBalancer Service when the LoadBalancer controller does not set the `status.loadBalancer.ingress[].ip` field. Clusters
where the LoadBalancer controller sets the `status.loadBalancer.ingress[].ip` field are unaffected.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/kubernetes/kubernetes/pull/99958https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJhttps://security.netapp.com/advisory/ntap-20231221-0003/https://github.com/kubernetes/kubernetes/pull/99958https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJhttps://security.netapp.com/advisory/ntap-20231221-0003/
2023-10-30
Published