PROVIDSD-8965 [kubernetes-announce] [Security Advisory] CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

Skip to first unread message

Sep 15, 2021, 5:18:01 PM9/15/21
Bitte antworten Sie oberhalb dieser Linie.

Guten Tag, hat Sie als Teilnehmer zu der Anfrage "[kubernetes-announce] [Security Advisory] CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access" (Ticket PROVIDSD-8965) hinzugefügt. Für weitere Details rufen Sie - wenn Sie zugriffsberechtigt sind - bitte das Kundenportal auf.

~~~~~~~~~~~~~~ Text der Anfrage ~~~~~~~~~~~~~~

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

This issue has been rated High (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25741.

Affected Components and Configurations

This bug affects kubelet.

Environments where cluster administrators have restricted the ability to create hostPath mounts are the most seriously affected. Exploitation allows hostPath-like access without use of the hostPath feature, thus bypassing the restriction. 

In a default Kubernetes environment, exploitation could be used to obscure misuse of already-granted privileges.

Affected Versions

  • v1.22.0 - v1.22.1

  • v1.21.0 - v1.21.4

  • v1.20.0 - v1.20.10

  • <= v1.19.14

Fixed Versions

This issue is fixed in the following versions:

  • v1.22.2

  • v1.21.5

  • v1.20.11

  • v1.19.15


To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature.

You can also use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation.


If you find evidence that this vulnerability has been exploited, please contact

Additional Details

See Kubernetes Issue #104980 for more details.


This vulnerability was reported by Fabricio Voznika and Mark Wolters of Google.

Thanks as well to Ian Coldwater, Duffie Cooley, Brad Geesaman, and Rory McCune for the thorough security research that led to the discovery of this vulnerability.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

You received this message because you are subscribed to the Google Groups "kubernetes-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

~~~~~~~~~~~~~~ Ende der Anfrage ~~~~~~~~~~~~~~

Aktueller Status dieses Tickets: "In Arbeit"

Bitte beachten Sie, dass diese Anfrage mit folgenden weiteren Personen geteilt wird: Newsletter,,, und 3 weitere Personen

Reply all
Reply to author
0 new messages