CVE-2021-25737
LOWKubernetes 1.16.0-1.18.18 - Unauthenticated Private Network Traffic Redirection via EndpointSlice IP Validation Bypass
Title source: llmDescription
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://groups.google.com/g/kubernetes-security-announce/c/xAiN3924thY
Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/102106
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211004-0004/
Scores
CVSS v3
2.7
EPSS
0.0129
EPSS Percentile
66.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-184
CWE-601
Status
published
Products (3)
k8s.io/kubernetes
1.16.0 - 1.18.19Go
kubernetes/kubernetes
1.21.0
kubernetes/kubernetes
1.16.0 - 1.18.19
Published
Sep 06, 2021
Tracked Since
Feb 18, 2026