CVE-2021-25737: 
Jenkins vulnerability analysis and mitigation

A security issue (CVE-2021-25737) was discovered in Kubernetes where an authorized user could redirect pod traffic to private networks on a Node. The vulnerability affects kube-apiserver versions v1.21.0, v1.20.0-v1.20.6, v1.19.0-v1.19.10, and v1.16.0-v1.18.18. While Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, the same validation was not performed on EndpointSlice IPs (Sysdig Blog, MITRE CVE).

The vulnerability exists in the EndpointSlice validation mechanism of kube-apiserver. The issue can be exploited by creating or modifying EndpointSlices and adding endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 internal ranges. The vulnerability has been rated Low severity with a CVSS score of 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N). The vulnerability is exploitable via the network and has a low attack complexity (Sysdig Blog).

When successfully exploited, this vulnerability allows attackers to redirect and intercept pod traffic to private networks on a node. This could potentially lead to sensitive data leaks and enable the theft of credentials that could facilitate lateral movement within the cluster. The impact is rated low in terms of confidentiality and has no impact on integrity and availability (Sysdig Blog).

The vulnerability is fixed in Kubernetes versions v1.21.1, v1.20.7, v1.19.11, and v1.18.19. For users unable to upgrade, a mitigation strategy involves creating a validating admission webhook that prevents EndpointSlices creation and modification with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. Users with existing admission policy mechanisms like OPA Gatekeeper can create policies to enforce these restrictions (Sysdig Blog, Kubernetes Github).