CVE-2021-25737

LOW

Kubernetes - Open Redirect

Title source: llm

Description

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

References (3)

[Mailing List, Third Party Advisory] https://groups.google.com/g/kubernetes-security-announce/c/xAiN3924thY

[Patch, Third Party Advisory] https://github.com/kubernetes/kubernetes/issues/102106

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20211004-0004/

Scores

CVSS v3 2.7

EPSS 0.0038

EPSS Percentile 59.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-184 CWE-601

Status published

Products (3)

k8s.io/kubernetes 1.16.0 - 1.18.19Go

kubernetes/kubernetes 1.21.0

kubernetes/kubernetes 1.16.0 - 1.18.19

Published Sep 06, 2021

Tracked Since Feb 18, 2026