Symlink File Overwrite Affecting github.com/kubernetes/kubernetes package, versions >=1.22.0 <1.22.2>=1.21.0 <1.21.5>=1.20.0 <1.20.11<1.19.15


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMKUBERNETESKUBERNETES-1585629
  • published16 Sept 2021
  • disclosed15 Sept 2021
  • creditFabricio Voznika, Mark Wolters

Introduced: 15 Sep 2021

CVE-2021-25741  (opens in a new tab)
CWE-59  (opens in a new tab)

How to fix?

Upgrade github.com/kubernetes/kubernetes to version 1.22.2, 1.21.5, 1.20.11, 1.19.15 or higher.

Overview

github.com/kubernetes/kubernetes is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Symlink File Overwrite. Symlink exchange can allow host filesystem access. A flaw was found in kubernetes where an authorized user can create pods with crafted subpath volume mounts to access files and directories outside of the volume, including on the host node's filesystem.

CVSS Scores

version 3.1