CVE-2021-25737 log

Severity Low
Remote Yes
Type Insufficient validation
A security issue was discovered in kube-apiserver before version 1.21.1 where a user may be able to redirect pod traffic to private networks on a node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
Group Package Affected Fixed Severity Status Ticket
AVG-1970 kube-apiserver 1.21.0-1 1.21.1-1 Low Fixed
Date Advisory Group Package Severity Type
09 Jun 2021 ASA-202106-29 AVG-1970 kube-apiserver Low insufficient validation

To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the and ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.