CVE-2021-25749Improper Access Control in Kubernetes

CWE-284Improper Access ControlCWE-842Placement of User into Incorrect Group4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 88.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
KubernetesDebian Kubernetes
Timeline
PublishedMay 24

Description

Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5kubernetes/kuberneteskubelet v1.22.0 - v1.22.13v1.22.14+2
NVDkubernetes/kubernetes1.22.01.22.14+3

🔴Vulnerability Details

1
GHSA
GHSA-vv2r-w4hf-7mhr: Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true2023-05-24

📋Vendor Advisories

2
Red Hat
kubelet: runAsNonRoot logic bypass for Windows containers2022-09-15
Debian
CVE-2021-25749: kubernetes - Windows workloads can run as ContainerAdministrator even when those workloads se...2021