CVE-2021-25740 — Confused Deputy in Kubernetes

CWE-441 — Confused Deputy CWE-610 — Externally Controlled Reference to a Resource in Another Sphere CWE-863 — Incorrect Authorization7 documents6 sources

Severity

3.1LOWNVD

EPSS

0.7%

top 28.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes K8s.io Kubernetes

Timeline

PublishedSep 20

Latest updateSep 21

Description

A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

▶Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3

▶Gok8s.io/kubernetes1.22.2

▶CVEListV5kubernetes/kubernetesunspecified — 1.20.11+2

🔴Vulnerability Details

GHSA

Confused Deputy in Kubernetes↗2021-09-21

▶

OSV

Confused Deputy in Kubernetes↗2021-09-21

▶

OSV

CVE-2021-25740: A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to v↗2021-09-20

▶

CVEList

Holes in EndpointSlice Validation Enable Host Network Hijack↗2021-09-20

▶

📋Vendor Advisories

Red Hat

kubernetes: Endpoint & EndpointSlice permissions allow cross-Namespace forwarding↗2021-07-15

▶

Debian

CVE-2021-25740: kubernetes - A security issue was discovered with Kubernetes that could enable users to send ...↗2021

▶