gsd-2021-25735
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2021-25735",
    "description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.",
    "id": "GSD-2021-25735",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-25735.html",
      "https://access.redhat.com/errata/RHSA-2021:2437",
      "https://security.archlinux.org/CVE-2021-25735"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-25735"
      ],
      "details": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.",
      "id": "GSD-2021-25735",
      "modified": "2023-12-13T01:23:21.806728Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@kubernetes.io",
        "DATE_PUBLIC": "2021-04-14T16:00:00.000Z",
        "ID": "CVE-2021-25735",
        "STATE": "PUBLIC",
        "TITLE": "Validating Admission Webhook does not observe some previous fields"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Kubernetes",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "1.18.17"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "1.19.9"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "1.20.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Kubernetes"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Rogerio Bastos \u0026 Ari Lima"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-372 Incomplete Internal State Distinction"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y",
            "refsource": "MISC",
            "url": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y"
          },
          {
            "name": "https://github.com/kubernetes/kubernetes/issues/100096",
            "refsource": "MISC",
            "url": "https://github.com/kubernetes/kubernetes/issues/100096"
          }
        ]
      },
      "source": {
        "defect": [
          "https://github.com/kubernetes/kubernetes/issues/100096"
        ],
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv1.18.18||\u003e=v1.19.0 \u003cv1.19.10||\u003e=v1.20.0 \u003cv1.20.6",
          "affected_versions": "All versions before 1.18.18, all versions starting from 1.19.0 before 1.19.10, all versions starting from 1.20.0 before 1.20.6",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2021-09-13",
          "description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook.Validating Admission Webhook does not observe some previous fields.",
          "fixed_versions": [
            "v1.18.18",
            "v1.19.10",
            "v1.20.6"
          ],
          "identifier": "CVE-2021-25735",
          "identifiers": [
            "CVE-2021-25735"
          ],
          "not_impacted": "All versions starting from 1.18.18 before 1.19.0, all versions starting from 1.19.10 before 1.20.0, all versions starting from 1.20.6",
          "package_slug": "go/github.com/kubernetes/kubelet",
          "pubdate": "2021-09-06",
          "solution": "Upgrade to version 1.18.18, 1.19.10, 1.20.6, or above.",
          "title": "Incorrect Authorization",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-25735"
          ],
          "uuid": "26c5233b-1803-4da8-97f3-b5fd9eccabae",
          "versions": [
            {
              "commit": {
                "sha": "ac66230628094eb883c92828d00617dd488a0198",
                "tags": [
                  "kubernetes-1.19.0"
                ],
                "timestamp": "20200826215147"
              },
              "number": "v1.19.0"
            },
            {
              "commit": {
                "sha": "813e574ae28f51d8fa7745338022f4b9623827bb",
                "tags": [
                  "kubernetes-1.20.0"
                ],
                "timestamp": "20201208213757"
              },
              "number": "v1.20.0"
            },
            {
              "commit": {
                "sha": "f6dfdcae16ddf3c55e533a0ddab3c26d1bdd91e2",
                "tags": [
                  "kubernetes-1.18.18"
                ],
                "timestamp": "20210415085016"
              },
              "number": "v1.18.18"
            },
            {
              "commit": {
                "sha": "d635c32abd0b293230cbc8b9211c6f287cf9f9d5",
                "tags": [
                  "kubernetes-1.19.10"
                ],
                "timestamp": "20210415085053"
              },
              "number": "v1.19.10"
            },
            {
              "commit": {
                "sha": "e4efd12eddbf12432141ef9e04582b1cd51808f9",
                "tags": [
                  "kubernetes-1.20.6"
                ],
                "timestamp": "20210415085137"
              },
              "number": "v1.20.6"
            }
          ]
        },
        {
          "affected_range": "\u003e=1.20.0 \u003c=1.20.5||\u003e=1.19.0 \u003c=1.19.9||\u003c=1.18.17",
          "affected_versions": "All versions starting from 1.20.0 up to 1.20.5, all versions starting from 1.19.0 up to 1.19.9, all versions up to 1.18.17",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-863",
            "CWE-937"
          ],
          "date": "2022-04-12",
          "description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.",
          "fixed_versions": [
            "1.20.6",
            "1.18.18",
            "1.18.18"
          ],
          "identifier": "CVE-2021-25735",
          "identifiers": [
            "GHSA-g42g-737j-qx6j",
            "CVE-2021-25735"
          ],
          "not_impacted": "All versions before 1.20.0, all versions after 1.20.5, all versions before 1.19.0, all versions after 1.18.17 before 1.19.9",
          "package_slug": "go/k8s.io/kubernetes",
          "pubdate": "2021-12-16",
          "solution": "Upgrade to versions 1.20.6, 1.18.18, 1.18.18 or above.",
          "title": "Incorrect Authorization",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-25735",
            "https://github.com/kubernetes/kubernetes/issues/100096",
            "https://github.com/kubernetes/kubernetes/pull/99946",
            "https://github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1937562",
            "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y",
            "https://pkg.go.dev/k8s.io/kubernetes@v1.23.5/cmd/kube-apiserver",
            "https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/",
            "https://github.com/advisories/GHSA-g42g-737j-qx6j"
          ],
          "uuid": "5b39cb00-63a4-40cf-9796-8e427c0d7256"
        },
        {
          "affected_range": "\u003c1.18.18||\u003e=1.19.0 \u003c1.19.10||\u003e=1.20.0 \u003c1.20.6",
          "affected_versions": "All versions before 1.18.18, all versions starting from 1.19.0 before 1.19.10, all versions starting from 1.20.0 before 1.20.6",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2021-09-13",
          "description": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook.Validating Admission Webhook does not observe some previous fields.",
          "fixed_versions": [
            "1.18.18",
            "1.19.10",
            "1.20.6"
          ],
          "identifier": "CVE-2021-25735",
          "identifiers": [
            "CVE-2021-25735"
          ],
          "not_impacted": "All versions starting from 1.18.18 before 1.19.0, all versions starting from 1.19.10 before 1.20.0, all versions starting from 1.20.6",
          "package_slug": "go/k8s.io/kubernetes/pkg/apis/apps/validation",
          "pubdate": "2021-09-06",
          "solution": "Upgrade to version 1.18.18, 1.19.10 or 1.20.6 or above.",
          "title": "Incorrect Authorization",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-25735"
          ],
          "uuid": "da9e153f-2eca-4475-9f40-d7a675e3fa1e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.20.6",
                "versionStartIncluding": "1.20.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.19.10",
                "versionStartIncluding": "1.19.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.18.18",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@kubernetes.io",
          "ID": "CVE-2021-25735"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y"
            },
            {
              "name": "https://github.com/kubernetes/kubernetes/issues/100096",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/kubernetes/kubernetes/issues/100096"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-06-26T19:16Z",
      "publishedDate": "2021-09-06T12:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.