CVE-2021-25737
published 2021-09-06CVE-2021-25737: A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents…
PriorityP420medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
1.33%
67.6th percentile
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 1.16.0 < 1.18.19 | 1.18.19 |
| k8s.io | kubernetes | >= 1.19.0 < 1.19.11 | 1.19.11 |
| k8s.io | kubernetes | >= 1.20.0 < 1.20.7 | 1.20.7 |
| k8s.io | kubernetes | >= 1.21.0 < 1.21.1 | 1.21.1 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 1.16.0 < 1.18.19 | 1.18.19 |
| kubernetes | kubernetes | >= 1.19.0 < 1.19.10 | 1.19.10 |
| kubernetes | kubernetes | >= 1.20.0 < 1.20.7 | 1.20.7 |
| kubernetes | kubernetes | unspecified – 1.18.18 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N
osv4.8MEDIUM
vendor_debian2.7LOW
vendor_redhat2.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes
osv·2024-08-21
CVE-2021-25737 Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes
Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes
Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes
OSV
Incomplete List of Disallowed Inputs in Kubernetes
osv·2021-09-07
CVE-2021-25737 [MEDIUM] Incomplete List of Disallowed Inputs in Kubernetes
Incomplete List of Disallowed Inputs in Kubernetes
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
GHSA
Incomplete List of Disallowed Inputs in Kubernetes
ghsa·2021-09-07
CVE-2021-25737 [MEDIUM] CWE-184 Incomplete List of Disallowed Inputs in Kubernetes
Incomplete List of Disallowed Inputs in Kubernetes
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
OSV
CVE-2021-25737: A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node
osv·2021-09-06·CVSS 4.8
CVE-2021-25737 [MEDIUM] CVE-2021-25737: A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Red Hat
kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack
vendor_redhat·2021-05-18·CVSS 2.7
CVE-2021-25737 [LOW] CWE-20 kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack
kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. An untrusted user could exploit this by creating or modifying EndpointSlices to point to localhost or link-local addresses.
Statement: OpenShift Container Platform (OCP) 3.11 is not affected by this vulnerability as it does not support EndpointSlices. All current versions of OCP 4 support EndpointSlices and
Debian
CVE-2021-25737: kubernetes - A security issue was discovered in Kubernetes where a user may be able to redire...
vendor_debian·2021·CVSS 2.7
CVE-2021-25737 [LOW] CVE-2021-25737: kubernetes - A security issue was discovered in Kubernetes where a user may be able to redire...
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
No detection rules found.
No public exploits indexed.
https://github.com/kubernetes/kubernetes/issues/102106https://groups.google.com/g/kubernetes-security-announce/c/xAiN3924thYhttps://security.netapp.com/advisory/ntap-20211004-0004/https://github.com/kubernetes/kubernetes/issues/102106https://groups.google.com/g/kubernetes-security-announce/c/xAiN3924thYhttps://security.netapp.com/advisory/ntap-20211004-0004/
2021-09-06
Published