Moderate severityNVD Advisory· Published Sep 6, 2021· Updated Sep 16, 2024
Validating Admission Webhook does not observe some previous fields
CVE-2021-25735
Description
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.20.0, < 1.20.6 | 1.20.6 |
k8s.io/kubernetesGo | >= 1.19.0, < 1.19.10 | 1.19.10 |
k8s.io/kubernetesGo | < 1.18.18 | 1.18.18 |
Affected products
28- osv-coords27 versionspkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/kubernetes-dns-node-cache-1.17pkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 26 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.20.0, < 1.20.6
- (no CPE)range: < 0.0.20250807T150727-1.1
- Range: unspecified
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-g42g-737j-qx6jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25735ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90ghsaWEB
- github.com/kubernetes/kubernetes/issues/100096ghsax_refsource_MISCWEB
- github.com/kubernetes/kubernetes/pull/99946ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Yghsax_refsource_MISCWEB
- pkg.go.dev/k8s.io/kubernetes@v1.23.5/cmd/kube-apiserverghsaWEB
- sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypassghsaWEB
News mentions
0No linked articles in our index yet.