Kubernetes new high severity vulnerability CVE-2021-25741 – are you exposed?(armosec.io)
armosec.io
Kubernetes new high severity vulnerability CVE-2021-25741 – are you exposed?
https://www.armosec.io/blog/kubescape-checks-if-kubernetes-exposed-to-k8s-symlink-vulnerability-cve202125741
4 comments
A new HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. The issue is affecting the Kubelet component of Kubernetes. This vulnerability allows attackers to abuse subPath property of the volumeMounts and access the entire host file system without using the hostPath feature originally intended for this capability.
while "official" hostPath feature is intended to provide the same result, it is being watched by practically all security and compliance tools, so such access can't go unnoticed. With the subPath abuse attackers can obtain complete host file system access undetected. So it is really urgent to start scanning for this vulnerability and potential exploits until your Kubernetes version is upgraded.
n0nz3r0(1)