CVE-2021-25735

MEDIUM

Kube-apiserver - Privilege Escalation

Title source: llm

Description

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Exploits (2)

nomisec WORKING POC 17 stars

by darryk10 · poc

https://github.com/darryk10/CVE-2021-25735

View Code ZIP pw:eip

gitlab WORKING POC

by securitystuffbackup · poc

https://gitlab.com/securitystuffbackup/cve-2021-25735

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/kubernetes/kubernetes/issues/100096

[Mailing List, Third Party Advisory] https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y

Scores

CVSS v3 6.5

EPSS 0.1439

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-372

Status published

Products (2)

k8s.io/kubernetes 1.20.0 - 1.20.6Go

kubernetes/kubernetes < 1.18.18

Published Sep 06, 2021

Tracked Since Feb 18, 2026