CVE-2021-25737

URL Redirection to Untrusted Site (Open Redirect) in go/k8s.io/kubernetes/pkg/apis/apps/validation

Identifiers

CVE-2021-25737

Package Slug

go/k8s.io/kubernetes/pkg/apis/apps/validation

Vulnerability

URL Redirection to Untrusted Site (Open Redirect)

Description

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

Affected Versions

All versions starting from 1.16.0 before 1.18.19, all versions starting from 1.19.0 before 1.19.10, all versions starting from 1.20.0 before 1.20.7, all versions starting from version 1.21.0 before 1.21.1

Solution

Upgrade to version 1.18.19, 1.19.10, 1.20.7, 1.21.1 or above.

Last Modified

2021-09-17

source