Vulnerability Details : CVE-2021-25736
Kube-proxy
on Windows can unintentionally forward traffic to local processes
listening on the same port (“spec.ports[*].port”) as a LoadBalancer
Service when the LoadBalancer controller
does not set the “status.loadBalancer.ingress[].ip” field. Clusters
where the LoadBalancer controller sets the
“status.loadBalancer.ingress[].ip” field are unaffected.
Products affected by CVE-2021-25736
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-25736
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-25736
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N |
1.3
|
4.0
|
Kubernetes | |
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
1.8
|
4.0
|
NIST |
References for CVE-2021-25736
-
https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ
[Security Advisory] CVE-2021-25736: Windows kube-proxy LoadBalancer contentionMailing List;Third Party Advisory
-
https://github.com/kubernetes/kubernetes/pull/99958
For LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP by sbangari · Pull Request #99958 · kubernetes/kubernetes · GitHubThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20231221-0003/
CVE-2021-25736 Kubernetes Vulnerability in NetApp Products | NetApp Product Security
Jump to