CVE-2021-25737: URL Redirection to Untrusted Site ('Open Redirect')

September 7, 2021 (updated October 5, 2021)

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

References

github.com/advisories/GHSA-mfv7-gq43-w965
github.com/kubernetes/kubernetes/issues/102106
groups.google.com/g/kubernetes-security-announce/c/xAiN3924thY
nvd.nist.gov/vuln/detail/CVE-2021-25737
security.netapp.com/advisory/ntap-20211004-0004/

Detect and mitigate CVE-2021-25737 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →