GSD-2021-25735
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-25735",
"description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.",
"id": "GSD-2021-25735",
"references": [
"https://www.suse.com/security/cve/CVE-2021-25735.html",
"https://access.redhat.com/errata/RHSA-2021:2437",
"https://security.archlinux.org/CVE-2021-25735"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-25735"
],
"details": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.",
"id": "GSD-2021-25735",
"modified": "2023-12-13T01:23:21.806728Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-04-14T16:00:00.000Z",
"ID": "CVE-2021-25735",
"STATE": "PUBLIC",
"TITLE": "Validating Admission Webhook does not observe some previous fields"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.18.17"
},
{
"version_affected": "\u003c=",
"version_value": "1.19.9"
},
{
"version_affected": "\u003c=",
"version_value": "1.20.5"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Rogerio Bastos \u0026 Ari Lima"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-372 Incomplete Internal State Distinction"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y"
},
{
"name": "https://github.com/kubernetes/kubernetes/issues/100096",
"refsource": "MISC",
"url": "https://github.com/kubernetes/kubernetes/issues/100096"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes/kubernetes/issues/100096"
],
"discovery": "EXTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv1.18.18||\u003e=v1.19.0 \u003cv1.19.10||\u003e=v1.20.0 \u003cv1.20.6",
"affected_versions": "All versions before 1.18.18, all versions starting from 1.19.0 before 1.19.10, all versions starting from 1.20.0 before 1.20.6",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-09-13",
"description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook.Validating Admission Webhook does not observe some previous fields.",
"fixed_versions": [
"v1.18.18",
"v1.19.10",
"v1.20.6"
],
"identifier": "CVE-2021-25735",
"identifiers": [
"CVE-2021-25735"
],
"not_impacted": "All versions starting from 1.18.18 before 1.19.0, all versions starting from 1.19.10 before 1.20.0, all versions starting from 1.20.6",
"package_slug": "go/github.com/kubernetes/kubelet",
"pubdate": "2021-09-06",
"solution": "Upgrade to version 1.18.18, 1.19.10, 1.20.6, or above.",
"title": "Incorrect Authorization",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-25735"
],
"uuid": "26c5233b-1803-4da8-97f3-b5fd9eccabae",
"versions": [
{
"commit": {
"sha": "ac66230628094eb883c92828d00617dd488a0198",
"tags": [
"kubernetes-1.19.0"
],
"timestamp": "20200826215147"
},
"number": "v1.19.0"
},
{
"commit": {
"sha": "813e574ae28f51d8fa7745338022f4b9623827bb",
"tags": [
"kubernetes-1.20.0"
],
"timestamp": "20201208213757"
},
"number": "v1.20.0"
},
{
"commit": {
"sha": "f6dfdcae16ddf3c55e533a0ddab3c26d1bdd91e2",
"tags": [
"kubernetes-1.18.18"
],
"timestamp": "20210415085016"
},
"number": "v1.18.18"
},
{
"commit": {
"sha": "d635c32abd0b293230cbc8b9211c6f287cf9f9d5",
"tags": [
"kubernetes-1.19.10"
],
"timestamp": "20210415085053"
},
"number": "v1.19.10"
},
{
"commit": {
"sha": "e4efd12eddbf12432141ef9e04582b1cd51808f9",
"tags": [
"kubernetes-1.20.6"
],
"timestamp": "20210415085137"
},
"number": "v1.20.6"
}
]
},
{
"affected_range": "\u003e=1.20.0 \u003c=1.20.5||\u003e=1.19.0 \u003c=1.19.9||\u003c=1.18.17",
"affected_versions": "All versions starting from 1.20.0 up to 1.20.5, all versions starting from 1.19.0 up to 1.19.9, all versions up to 1.18.17",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-863",
"CWE-937"
],
"date": "2022-04-12",
"description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.",
"fixed_versions": [
"1.20.6",
"1.18.18",
"1.18.18"
],
"identifier": "CVE-2021-25735",
"identifiers": [
"GHSA-g42g-737j-qx6j",
"CVE-2021-25735"
],
"not_impacted": "All versions before 1.20.0, all versions after 1.20.5, all versions before 1.19.0, all versions after 1.18.17 before 1.19.9",
"package_slug": "go/k8s.io/kubernetes",
"pubdate": "2021-12-16",
"solution": "Upgrade to versions 1.20.6, 1.18.18, 1.18.18 or above.",
"title": "Incorrect Authorization",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-25735",
"https://github.com/kubernetes/kubernetes/issues/100096",
"https://github.com/kubernetes/kubernetes/pull/99946",
"https://github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90",
"https://bugzilla.redhat.com/show_bug.cgi?id=1937562",
"https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y",
"https://pkg.go.dev/k8s.io/kubernetes@v1.23.5/cmd/kube-apiserver",
"https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/",
"https://github.com/advisories/GHSA-g42g-737j-qx6j"
],
"uuid": "5b39cb00-63a4-40cf-9796-8e427c0d7256"
},
{
"affected_range": "\u003c1.18.18||\u003e=1.19.0 \u003c1.19.10||\u003e=1.20.0 \u003c1.20.6",
"affected_versions": "All versions before 1.18.18, all versions starting from 1.19.0 before 1.19.10, all versions starting from 1.20.0 before 1.20.6",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-09-13",
"description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook.Validating Admission Webhook does not observe some previous fields.",
"fixed_versions": [
"1.18.18",
"1.19.10",
"1.20.6"
],
"identifier": "CVE-2021-25735",
"identifiers": [
"CVE-2021-25735"
],
"not_impacted": "All versions starting from 1.18.18 before 1.19.0, all versions starting from 1.19.10 before 1.20.0, all versions starting from 1.20.6",
"package_slug": "go/k8s.io/kubernetes/pkg/apis/apps/validation",
"pubdate": "2021-09-06",
"solution": "Upgrade to version 1.18.18, 1.19.10 or 1.20.6 or above.",
"title": "Incorrect Authorization",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-25735"
],
"uuid": "da9e153f-2eca-4475-9f40-d7a675e3fa1e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.20.6",
"versionStartIncluding": "1.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.19.10",
"versionStartIncluding": "1.19.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.18.18",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"ID": "CVE-2021-25735"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y"
},
{
"name": "https://github.com/kubernetes/kubernetes/issues/100096",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kubernetes/kubernetes/issues/100096"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2
}
},
"lastModifiedDate": "2023-06-26T19:16Z",
"publishedDate": "2021-09-06T12:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…