CVE-2021-25735Incomplete Internal State Distinction in Kubernetes

CWE-372Incomplete Internal State DistinctionCWE-284Improper Access ControlCWE-863Incorrect AuthorizationCWE-20Improper Input Validation8 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
14.4%
top 5.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
KubernetesK8s.io Kubernetes
Timeline
PublishedSep 6
Latest updateAug 21

Description

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:HExploitability: 1.2 | Impact: 5.2

Affected Packages4 packages

Gok8s.io/kubernetes1.20.01.20.6+2
NVDkubernetes/kubernetes1.19.01.19.10+2
Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3
CVEListV5kubernetes/kubernetesunspecified1.18.17+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes2024-08-21
CVEList
Validating Admission Webhook does not observe some previous fields2021-09-06
OSV
CVE-2021-25735: A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook2021-09-06
GHSA
Access Restriction Bypass in kube-apiserver2021-05-28
OSV
Access Restriction Bypass in kube-apiserver2021-05-28

📋Vendor Advisories

2
Red Hat
kubernetes: Validating Admission Webhook does not observe some previous fields2021-04-14
Debian
CVE-2021-25735: kubernetes - A security issue was discovered in kube-apiserver that could allow node updates ...2021
CVE-2021-25735 — Incomplete Internal State Distinction | cvebase