CVE-2021-25735: Incorrect Authorization
(updated )
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
References
- bugzilla.redhat.com/show_bug.cgi?id=1937562
- github.com/advisories/GHSA-g42g-737j-qx6j
- github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90
- github.com/kubernetes/kubernetes/issues/100096
- github.com/kubernetes/kubernetes/pull/99946
- groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
- nvd.nist.gov/vuln/detail/CVE-2021-25735
- pkg.go.dev/k8s.io/kubernetes@v1.23.5/cmd/kube-apiserver
- sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/
Code Behaviors & Features
Detect and mitigate CVE-2021-25735 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →