CVE-2021-25740 - log back

CVE-2021-25740 edited at 14 Jul 2021 22:32:30
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. If a potential attacker can create or edit Endpoints or EndpointSlices in the Kubernetes API, they can potentially direct a LoadBalancer or Ingress implementation to expose backend IPs the attacker should not have access to. Importantly, if the target’s NetworkPolicy already trusts the Load Balancer or Ingress implementation, NetworkPolicy can not be used to prevent exposure from other namespaces, potentially bypassing any security controls such as LoadBalancerSourceRanges.
References
+ https://github.com/kubernetes/kubernetes/issues/103675
CVE-2021-25740 created at 14 Jul 2021 22:30:35
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes