Symlink Attack

Affecting k8s.io/kubernetes/pkg/kubelet package, versions >=1.22.0 <1.22.2 || >=1.21.0 <1.21.5 || >=1.20.0 <1.20.11 || <1.19.15

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

k8s.io/kubernetes/pkg/kubelet is a package that contains the libraries that drive the Kubelet binary. The kubelet is responsible for node level pod management. It runs on each worker in the cluster.

Affected versions of this package are vulnerable to Symlink Attack. A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

Remediation

Upgrade k8s.io/kubernetes/pkg/kubelet to version 1.22.2, 1.21.5, 1.20.11, 1.19.15 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Fabricio Voznika and Mark Wolters of Google
CVE
CVE-2021-25741
CWE
CWE-59
Snyk ID
SNYK-GOLANG-K8SIOKUBERNETESPKGKUBELET-1729741
Disclosed
08 Oct, 2021
Published
08 Oct, 2021