CVE-2021-25735 — Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes

Description

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

How to fix CVE-2021-25735

To remediate CVE-2021-25735, upgrade the affected package to a fixed version below.

—upgrade to 1.20.5+really1.20.2-1 or later
—upgrade to 1.20.6 or later
—upgrade to 1.18.18 or later

Is CVE-2021-25735 being exploited?

Moderate — EPSS is 16.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 1.20.5+really1.20.2-1
>= 1.20.0, < 1.20.6
from 0, < 1.18.18, >= 1.19.0, < 1.19.10, >= 1.20.0, < 1.20.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

References (11)

ADVISORYgithub.com/advisories/GHSA-g42g-737j-qx6j
ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-25735
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-25735
PATCHgithub.com/kubernetes/kubernetes
WEB