What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2021-25735.

What is the severity of CVE-2021-25735?

The severity of CVE-2021-25735 is medium.

How does CVE-2021-25735 affect Kubernetes kube-apiserver?

CVE-2021-25735 affects Kubernetes kube-apiserver by allowing node updates to bypass a Validating Admission Webhook and allow unauthorized node updates.

What versions of Kubernetes kube-apiserver are affected by CVE-2021-25735?

Versions up to and including 1.18.17, 1.19.9, 1.20.5, and 1.21.0 are affected by CVE-2021-25735.

How can I fix CVE-2021-25735?

To fix CVE-2021-25735, update Kubernetes kube-apiserver to version 1.18.18, 1.19.10, 1.20.6, or 1.21.0.

Vulnerability/
CVE-2021-25735

medium

6.5

CWE

284 372 863 20

11/3/2021

14/4/2021

28/5/2021

3/8/2024

CVE-2021-25735: Validating Admission Webhook does not observe some previous fields

First published: Thu Mar 11 2021(Updated: )

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Credit: jordan@liggitt.net jordan@liggitt.net

Affected Software	Affected Version	How to fix
go/k8s.io/kubernetes	<=1.18.17	1.18.18
go/k8s.io/kubernetes	>=1.19.0<=1.19.9	1.19.10
go/k8s.io/kubernetes	>=1.20.0<=1.20.5	1.20.6
redhat/kubernetes	<1.21.0	1.21.0
redhat/kubernetes	<1.20.6	1.20.6
redhat/kubernetes	<1.19.10	1.19.10
redhat/kubernetes	<1.18.18	1.18.18
redhat/openshift	<0:4.8.0-202107161820.p0.git.051ac4f.assembly.stream.el7	0:4.8.0-202107161820.p0.git.051ac4f.assembly.stream.el7
Kubernetes Kubernetes	<1.18.18
Kubernetes Kubernetes	>=1.19.0<1.19.10
Kubernetes Kubernetes	>=1.20.0<1.20.6

Remedy

https://github.com/kubernetes/kubernetes/issues/100096

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

RHSA-2021:2437

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-25735.
What is the severity of CVE-2021-25735?
The severity of CVE-2021-25735 is medium.
How does CVE-2021-25735 affect Kubernetes kube-apiserver?
CVE-2021-25735 affects Kubernetes kube-apiserver by allowing node updates to bypass a Validating Admission Webhook and allow unauthorized node updates.
What versions of Kubernetes kube-apiserver are affected by CVE-2021-25735?
Versions up to and including 1.18.17, 1.19.9, 1.20.5, and 1.21.0 are affected by CVE-2021-25735.
How can I fix CVE-2021-25735?
To fix CVE-2021-25735, update Kubernetes kube-apiserver to version 1.18.18, 1.19.10, 1.20.6, or 1.21.0.

collector/github-advisory
alias/GHSA-g42g-737j-qx6j
alias/CVE-2021-25735
collector/github-advisory-latest
collector/redhat-cve
collector/nvd-index
collector/nvd-cve
agent/author
agent/type
agent/softwarecombine
agent/first-publish-date
agent/remedy
agent/severity
agent/weakness
agent/references
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/description
agent/tags
agent/event
package-manager/go
package-manager/redhat
vendor/kubernetes
canonical/kubernetes kubernetes
version/kubernetes kubernetes/1.19.0
version/kubernetes kubernetes/1.20.0