CVE-2021-25735: 
Jenkins vulnerability analysis and mitigation

A security issue (CVE-2021-25735) was discovered in Kubernetes kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. The vulnerability affects kube-apiserver versions v1.20.0-v1.20.5, v1.19.0-v1.19.9, and versions <= v1.18.17. This medium-severity vulnerability (CVSS score: 6.5) only impacts environments using Validating Admission Webhook for nodes that bases admission decisions on the old state of Node objects (Kubernetes Issue, Sysdig Blog).

The vulnerability occurs when an update action is performed on node resources with an admission controller configured to validate the action. The issue stems from the kube-apiserver incorrectly handling request.object and request.oldObject passed to the Validating Admission Webhook. Specifically, Node.ObjectMeta overwrites the old values which may be used for admission decisions, and since this overwriting happens before admission evaluation, it can lead to unauthorized changes in cluster nodes (Sysdig Blog).

The vulnerability has a low attack complexity and a high impact on integrity and confidentiality. When exploited, it allows attackers to completely bypass the controls in place in the Validating Admission Controller over nodes updates, enabling unauthorized changes to node settings without being stopped by the admission controller (Sysdig Blog).

The vulnerability has been fixed in kube-apiserver versions v1.21.0, v1.20.6, v1.19.10, and v1.18.18. For systems that cannot be immediately patched, it's recommended to implement detection mechanisms such as Falco with Kubernetes Audit Logging enabled to monitor for exploitation attempts (Sysdig Blog, Kubernetes Issue).