Vulnerability Details : CVE-2021-25735
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Exploit prediction scoring system (EPSS) score for CVE-2021-25735
Probability of exploitation activity in the next 30 days: 0.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 28 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-25735
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:P |
8.0
|
4.9
|
[email protected] |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
1.2
|
5.2
|
[email protected] |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
1.2
|
5.2
|
[email protected] |
CWE ids for CVE-2021-25735
-
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Assigned by: [email protected] (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: [email protected] (Primary)
References for CVE-2021-25735
-
https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
Mailing List;Third Party Advisory
-
https://github.com/kubernetes/kubernetes/issues/100096
Patch;Third Party Advisory
Products affected by CVE-2021-25735
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*