CVE-2021-25737
MEDIUM4.8EPSS 0.38%Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes
Published: 9/7/2021Modified: 4/28/2026
Description
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Affected packages (3)
- Debian/kubernetesfrom 0, < 1.20.5+really1.20.2-1
- Go/k8s.io/kubernetes>= 1.16.0, < 1.18.19
- Go/k8s.io/kubernetes>= 1.16.0, < 1.18.19, >= 1.19.0, < 1.19.11, >= 1.20.0, < 1.20.7, >= 1.21.0, < 1.21.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-mfv7-gq43-w965
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25737
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-25737
- PATCHhttps://github.com/kubernetes/kubernetes
- WEBhttps://github.com/kubernetes/kubernetes/issues/102106
- WEBhttps://groups.google.com/g/kubernetes-security-announce/c/xAiN3924thY
- WEBhttps://security.netapp.com/advisory/ntap-20211004-0004