CVE-2021-25735
6.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kubernetes | Kubernetes | unspecified <= 1.18.17 | affected |
| Kubernetes | Kubernetes | unspecified <= 1.19.9 | affected |
| Kubernetes | Kubernetes | unspecified <= 1.20.5 | affected |
Weaknesses
- CWE-372: CWE-372 Incomplete Internal State Distinction
ADP Enrichment
CVE Program Container
Additional References
- https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
- https://github.com/kubernetes/kubernetes/issues/100096
References
- https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
- https://github.com/kubernetes/kubernetes/issues/100096
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.