CVE-2021-25741 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary filesystem access
Description	A security issue was discovered in kubelet before version 1.22.2 where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2393	kubelet	1.22.1-1	1.22.2-1	High	Fixed

References
https://github.com/kubernetes/kubernetes/issues/104980

Notes
Workaround ========== To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature. You can also use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation.

Notes

Workaround
==========

To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature.

You can also use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation.