CVE-2021-25741
1 minute read
This is a volume security issue related to permission access. A user can access files and directories outside the volume mounting directory, including the host’s file system, through the volume mounting method of subpath in the created container.
Scope
This vulnerability affects related behaviors of kubelet, and the issue is particularly serious for cluster administrators who may strictly restrict the creation of hostPath.
CVSS scores
This vulnerability is rated as medium-risk with a CVSS score of 5.5.
Prevention
For users who do not want to upgrade kubelet, they can use two preventative measures:
- Disable
VolumeSubpathforkubeletandkube-apiserverand remove allpodsthat are using this feature. - Use
admission controlto prevent users with low trust levels from running the container with therootpermission.
Fixed by official
- v1.22.2
- v1.21.5
- v1.20.11
- v1.19.15
Fixed by KLTS
- v1.18.20-lts.1 kubernetes/kubernetes#104253
- v1.17.17-lts.1 TODO
- v1.16.15-lts.1 TODO
- v1.15.12-lts.1 TODO
- v1.14.10-lts.1 TODO
- v1.13.12-lts.1 TODO
- v1.12.10-lts.1 TODO
- v1.11.10-lts.1 TODO
- v1.10.13-lts.1 TODO
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified
March 8, 2022
: mv en to kuberentes/ (95aa90d4)