CVE-2021-25737 — Incomplete List of Disallowed Inputs in Kubernetes

CWE-184 — Incomplete List of Disallowed Inputs CWE-601 — Open Redirect CWE-20 — Improper Input Validation8 documents6 sources

Severity

4.8MEDIUMNVD

CNA2.7

EPSS

0.4%

top 40.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes

Timeline

PublishedSep 6

Latest updateAug 21

Description

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages4 packages

▶Gok8s.io/kubernetes1.16.0 — 1.18.19+3

▶NVDkubernetes/kubernetes1.16.0 — 1.18.19+3

▶Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3

▶CVEListV5kubernetes/kubernetesunspecified — 1.18.18+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes↗2024-08-21

▶

OSV

Incomplete List of Disallowed Inputs in Kubernetes↗2021-09-07

▶

GHSA

Incomplete List of Disallowed Inputs in Kubernetes↗2021-09-07

▶

CVEList

Holes in EndpointSlice Validation Enable Host Network Hijack↗2021-09-06

▶

OSV

CVE-2021-25737: A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node↗2021-09-06

▶

📋Vendor Advisories

Red Hat

kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack↗2021-05-18

▶

Debian

CVE-2021-25737: kubernetes - A security issue was discovered in Kubernetes where a user may be able to redire...↗2021

▶