CVE-2021-25735
published 2021-09-06CVE-2021-25735: A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this…
PriorityP339medium6.5CVSS 3.1
AVNACLPRHUINSUCNIHAH
EPSS
5.52%
91.8th percentile
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.18.18 | 1.18.18 |
| k8s.io | kubernetes | >= 1.19.0 < 1.19.10 | 1.19.10 |
| k8s.io | kubernetes | >= 1.20.0 < 1.20.6 | 1.20.6 |
| kubernetes | kubernetes | < 1.18.18 | 1.18.18 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 1.19.0 < 1.19.10 | 1.19.10 |
| kubernetes | kubernetes | >= 1.20.0 < 1.20.6 | 1.20.6 |
| kubernetes | kubernetes | unspecified – 1.18.17 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes
osv·2024-08-21
CVE-2021-25735 Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes
Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes
Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes
OSV
CVE-2021-25735: A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook
osv·2021-09-06·CVSS 6.5
CVE-2021-25735 [MEDIUM] CVE-2021-25735: A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
GHSA
Access Restriction Bypass in kube-apiserver
ghsa·2021-05-28
CVE-2021-25735 [MEDIUM] CWE-284 Access Restriction Bypass in kube-apiserver
Access Restriction Bypass in kube-apiserver
A vulnerability in Kubernetes `kube-apiserver` could allow node updates to bypass a _Validating Admission Webhook_ and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overwrite values used for validation. Since the overwriting takes place before the validation, this could lead the admission controller to accept requests that should be blocked. The vulnerability can be exploited when an update action on node resources is performed and an admission controller is in place and configured to validate the action.
Users are only affected by this vulnerability if they are running a _Validating Admission Webhook_ for Nodes that denies admission based partially on the old
OSV
Access Restriction Bypass in kube-apiserver
osv·2021-05-28
CVE-2021-25735 [MEDIUM] Access Restriction Bypass in kube-apiserver
Access Restriction Bypass in kube-apiserver
A vulnerability in Kubernetes `kube-apiserver` could allow node updates to bypass a _Validating Admission Webhook_ and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overwrite values used for validation. Since the overwriting takes place before the validation, this could lead the admission controller to accept requests that should be blocked. The vulnerability can be exploited when an update action on node resources is performed and an admission controller is in place and configured to validate the action.
Users are only affected by this vulnerability if they are running a _Validating Admission Webhook_ for Nodes that denies admission based partially on the old
Red Hat
kubernetes: Validating Admission Webhook does not observe some previous fields
vendor_redhat·2021-04-14·CVSS 6.5
CVE-2021-25735 [MEDIUM] CWE-20 kubernetes: Validating Admission Webhook does not observe some previous fields
kubernetes: Validating Admission Webhook does not observe some previous fields
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
A vulnerability was found in Kubernetes' kube-apiserver that could allow Node updates to bypass a Validating Admission Webhook. An authenticated user could exploit this by modifying Node properties to values that should have been prevented by registered admission webhooks.
Package: atomic-openshift (Red Hat OpenShift Container Platform 3.11
Debian
CVE-2021-25735: kubernetes - A security issue was discovered in kube-apiserver that could allow node updates ...
vendor_debian·2021·CVSS 6.5
CVE-2021-25735 [MEDIUM] CVE-2021-25735: kubernetes - A security issue was discovered in kube-apiserver that could allow node updates ...
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-09-06
Published