CVE-2021-25735

NameCVE-2021-25735
DescriptionA security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs990793

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kubernetes (PTS)bullseye1.20.5+really1.20.2-1fixed
bookworm, sid1.20.5+really1.20.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kubernetessourcebullseye(not affected)
kubernetessource(unstable)(unfixed)990793

Notes

[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
https://www.openwall.com/lists/oss-security/2021/04/14/1
https://github.com/kubernetes/kubernetes/issues/100096
Server components no longer built since 1.20.5+really1.20.2-1
Search for package or bug name: Reporting problems