{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-25736", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2021-01-21T21:42:58.237Z", "datePublished": "2023-10-30T02:19:48.916Z", "dateUpdated": "2025-06-12T14:42:12.231Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Kube-Proxy"], "platforms": ["Windows"], "product": "Kubernetes", "repo": "https://github.com/kubernetes/kubernetes", "vendor": "Kubernetes", "versions": [{"lessThanOrEqual": "v1.20.5", "status": "affected", "version": "0", "versionType": "v1.20.5"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Eric Paris"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Christian Hernandez"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\nKube-proxy\n on Windows can unintentionally forward traffic to local processes \nlistening on the same port (\u201cspec.ports[*].port\u201d) as a LoadBalancer \nService when the LoadBalancer controller\n does not set the \u201cstatus.loadBalancer.ingress[].ip\u201d field. Clusters \nwhere the LoadBalancer controller sets the \n\u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected.<u></u><u></u></p>"}], "value": "Kube-proxy\n on Windows can unintentionally forward traffic to local processes \nlistening on the same port (\u201cspec.ports[*].port\u201d) as a LoadBalancer \nService when the LoadBalancer controller\n does not set the \u201cstatus.loadBalancer.ingress[].ip\u201d field. Clusters \nwhere the LoadBalancer controller sets the \n\u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2023-12-21T22:06:17.289Z"}, "references": [{"url": "https://github.com/kubernetes/kubernetes/pull/99958"}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ"}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0003/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>This issue has been fixed in the following versions:<u></u><u></u></p>\n<ul>\n<li>\nv1.21.0<u></u><u></u></li><li>\nv1.20.6<u></u><u></u></li><li>\nv1.19.10<u></u><u></u></li><li>\nv1.18.18</li></ul>"}], "value": "This issue has been fixed in the following versions:\n\n\n\n * \nv1.21.0\n * \nv1.20.6\n * \nv1.19.10\n * \nv1.18.18"}], "source": {"discovery": "UNKNOWN"}, "title": "Windows kube-proxy LoadBalancer contention", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:28.044Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/kubernetes/kubernetes/pull/99958", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0003/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-114", "lang": "en", "description": "CWE-114 Process Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-12T14:39:48.612391Z", "id": "CVE-2021-25736", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-12T14:42:12.231Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/kubernetes/kubernetes/pull/99958", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0003/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:28.044Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-25736", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-12T14:39:48.612391Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-114", "description": "CWE-114 Process Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-12T14:42:03.979Z"}}], "cna": {"title": "Windows kube-proxy LoadBalancer contention", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Eric Paris"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Christian Hernandez"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/kubernetes/kubernetes", "vendor": "Kubernetes", "modules": ["Kube-Proxy"], "product": "Kubernetes", "versions": [{"status": "affected", "version": "0", "versionType": "v1.20.5", "lessThanOrEqual": "v1.20.5"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue has been fixed in the following versions:\n\n\n\n * \nv1.21.0\n * \nv1.20.6\n * \nv1.19.10\n * \nv1.18.18", "supportingMedia": [{"type": "text/html", "value": "<p>This issue has been fixed in the following versions:<u></u><u></u></p>\n<ul>\n<li>\nv1.21.0<u></u><u></u></li><li>\nv1.20.6<u></u><u></u></li><li>\nv1.19.10<u></u><u></u></li><li>\nv1.18.18</li></ul>", "base64": false}]}], "references": [{"url": "https://github.com/kubernetes/kubernetes/pull/99958"}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ"}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0003/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Kube-proxy\n on Windows can unintentionally forward traffic to local processes \nlistening on the same port (\u201cspec.ports[*].port\u201d) as a LoadBalancer \nService when the LoadBalancer controller\n does not set the \u201cstatus.loadBalancer.ingress[].ip\u201d field. Clusters \nwhere the LoadBalancer controller sets the \n\u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected.", "supportingMedia": [{"type": "text/html", "value": "<p>\nKube-proxy\n on Windows can unintentionally forward traffic to local processes \nlistening on the same port (\u201cspec.ports[*].port\u201d) as a LoadBalancer \nService when the LoadBalancer controller\n does not set the \u201cstatus.loadBalancer.ingress[].ip\u201d field. Clusters \nwhere the LoadBalancer controller sets the \n\u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected.<u></u><u></u></p>", "base64": false}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2023-12-21T22:06:17.289Z"}}}, "cveMetadata": {"cveId": "CVE-2021-25736", "state": "PUBLISHED", "dateUpdated": "2025-06-12T14:42:12.231Z", "dateReserved": "2021-01-21T21:42:58.237Z", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "datePublished": "2023-10-30T02:19:48.916Z", "assignerShortName": "kubernetes"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E811D79-831A-493A-A0C8-D06442D01ADD", "versionEndExcluding": "1.18.18", "versionStartIncluding": "1.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "54F99BEF-703E-43C0-846C-AB9EECE134A9", "versionEndExcluding": "1.19.10", "versionStartIncluding": "1.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "E26E82C1-754C-4E81-B7BC-FB4DACE33945", "versionEndExcluding": "1.20.6", "versionStartIncluding": "1.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kube-proxy\n on Windows can unintentionally forward traffic to local processes \nlistening on the same port (\u201cspec.ports[*].port\u201d) as a LoadBalancer \nService when the LoadBalancer controller\n does not set the \u201cstatus.loadBalancer.ingress[].ip\u201d field. Clusters \nwhere the LoadBalancer controller sets the \n\u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected."}, {"lang": "es", "value": "Kube-proxy en Windows puede reenviar tr\u00e1fico involuntariamente a procesos locales que escuchan en el mismo puerto (\u201cspec.ports[*].port\u201d) que LoadBalancer Service cuando el controlador LoadBalancer no configura \u201cstatus.loadBalancer.ingress[].ip\u201d. Los cl\u00fasteres donde el controlador LoadBalancer establece el campo \"status.loadBalancer.ingress[].ip\" no se ven afectados."}], "id": "CVE-2021-25736", "lastModified": "2025-06-12T15:15:27.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-30T03:15:07.653", "references": [{"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/pull/99958"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ"}, {"source": "jordan@liggitt.net", "url": "https://security.netapp.com/advisory/ntap-20231221-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/pull/99958"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231221-0003/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-114"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Christian Hernandez (Red Hat) and Eric Paris (Red Hat).", "affected_release": [{"advisory": "RHSA-2021:2130", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4-wincw/windows-machine-config-operator-bundle:v2.0.1-8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-06-23T00:00:00Z"}, {"advisory": "RHSA-2021:2130", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4-wincw/windows-machine-config-rhel8-operator:2.0.1-6", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-06-23T00:00:00Z"}], "bugzilla": {"description": "kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM", "id": "1946538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1946538"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Kube-proxy\non Windows can unintentionally forward traffic to local processes \nlistening on the same port (\u201cspec.ports[*].port\u201d) as a LoadBalancer \nService when the LoadBalancer controller\ndoes not set the \u201cstatus.loadBalancer.ingress[].ip\u201d field. Clusters \nwhere the LoadBalancer controller sets the \n\u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected.", "A flaw was found in the Windows kube-proxy component. In a cloud environment that does not set the \u201c.status.loadBalancer.ingress.ip\u201d field in the LoadBalancer service status configuration (for example in AWS) the packets can be misrouted and reach an unintended destination."], "name": "CVE-2021-25736", "public_date": "2021-05-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-25736\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-25736\nhttps://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q"], "statement": "Clusters where the LoadBalancer controller sets the \u201cstatus.loadBalancer.ingress[].ip\u201d field are unaffected.", "threat_severity": "Moderate"}