CVE-2021-25735

Description

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Related CPE's

akuberneteskubernetes********

vulnerable

akuberneteskubernetes********

vulnerable

akuberneteskubernetes********

vulnerable

References

https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y

Mailing ListThird Party Advisory

https://github.com/kubernetes/kubernetes/issues/100096

PatchThird Party Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

HIGH

BaseScore

6.5

VectorString

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

PARTIAL

IntegrityImpact

PARTIAL

BaseScore

5.5

VectorString

AV:N/AC:L/Au:S/C:N/I:P/A:P

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE

Created by Yello
About Severity.io