CVE-2021-25735

Summary

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesunspecified <= 1.18.17affected
KubernetesKubernetesunspecified <= 1.19.9affected
KubernetesKubernetesunspecified <= 1.20.5affected

Weaknesses

  • CWE-372: CWE-372 Incomplete Internal State Distinction

ADP Enrichment

CVE Program Container

Additional References

References