CVE-2021-25735

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Published: Sep 6, 2021
Updated: Jun 27, 2023
CVE: CVE-2021-25735
GHSA: GHSA-g42g-737j-qx6j
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P

CWEs:

CWE-284
CWE-863

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
kubernetes / kubernetes	1.20.0	1.20.6
kubernetes / kubernetes	1.19.0	1.19.10
kubernetes / kubernetes	-	1.18.18
k8s.io/kubernetes	1.20.0	1.20.6
k8s.io/kubernetes	1.19.0	1.19.10
k8s.io/kubernetes	-	1.18.18

https://bugzilla.redhat.com/show_bug.cgi?id=1937562
https://github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90
https://github.com/kubernetes/kubernetes/issues/100096
https://github.com/kubernetes/kubernetes/pull/99946
https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
https://pkg.go.dev/k8s.io/[email protected]/cmd/kube-apiserver
https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/

Vulnerability Database

289,697

CVE-2021-25735