Refine your search
18 vulnerabilities found for by kyverno
CVE-2026-41485 (GCVE-0-2026-41485)
Vulnerability from cvelistv5
Published
2026-04-24 03:27
Modified
2026-04-24 18:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-617 - Reachable Assertion
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41485",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T18:52:40.901788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:53:26.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.16.4"
},
{
"status": "affected",
"version": "\u003e= 1.17.0-rc1, \u003c 1.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:27:08.865Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"
},
{
"name": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3"
}
],
"source": {
"advisory": "GHSA-fpjq-c37h-cqcv",
"discovery": "UNKNOWN"
},
"title": "Kyverno Controller Denial of Service via forEach Mutation Panic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41485",
"datePublished": "2026-04-24T03:27:08.865Z",
"dateReserved": "2026-04-20T16:14:19.007Z",
"dateUpdated": "2026-04-24T18:53:26.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41323 (GCVE-0-2026-41323)
Vulnerability from cvelistv5
Published
2026-04-24 03:21
Modified
2026-04-24 12:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41323",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T12:04:48.048182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T12:05:00.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.16.4"
},
{
"status": "affected",
"version": "\u003e= 1.17.0-rc1, \u003c 1.17.2-rc1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno\u0027s apiCall feature in ClusterPolicy automatically attaches the admission controller\u0027s ServiceAccount token to outgoing HTTP requests. The service URL has no validation \u2014 it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:21:36.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4"
},
{
"name": "https://github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5"
},
{
"name": "https://github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6"
},
{
"name": "https://github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0"
}
],
"source": {
"advisory": "GHSA-f9g8-6ppc-pqq4",
"discovery": "UNKNOWN"
},
"title": "Kyverno: ServiceAccount token leaked to external servers via apiCall service URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41323",
"datePublished": "2026-04-24T03:21:36.265Z",
"dateReserved": "2026-04-20T14:01:46.672Z",
"dateUpdated": "2026-04-24T12:05:00.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41068 (GCVE-0-2026-41068)
Vulnerability from cvelistv5
Published
2026-04-24 03:14
Modified
2026-04-24 16:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno's privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41068",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:21:58.960135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:22:26.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno\u0027s `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability \u2014 the `configMap.namespace` field accepts any namespace with zero validation, allowing a namespace admin to read ConfigMaps from any namespace using Kyverno\u0027s privileged service account. This is a complete RBAC bypass in multi-tenant Kubernetes clusters. An updated fix is available in version 1.17.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:14:27.640Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-cvq5-hhx3-f99p"
},
{
"name": "https://github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/bbf3e5c01391d612968440659028ae98e565a777"
}
],
"source": {
"advisory": "GHSA-cvq5-hhx3-f99p",
"discovery": "UNKNOWN"
},
"title": "Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41068",
"datePublished": "2026-04-24T03:14:27.640Z",
"dateReserved": "2026-04-16T16:43:03.174Z",
"dateUpdated": "2026-04-24T16:22:26.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40868 (GCVE-0-2026-40868)
Vulnerability from cvelistv5
Published
2026-04-21 18:22
Modified
2026-04-22 13:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40868",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:34:55.762312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:35:50.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.16.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno\u2019s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. Because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy). Namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage. This vulnerability is fixed in 1.16.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T18:22:01.502Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp"
}
],
"source": {
"advisory": "GHSA-q93q-v844-jrqp",
"discovery": "UNKNOWN"
},
"title": "kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40868",
"datePublished": "2026-04-21T18:22:01.502Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-22T13:35:50.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4789 (GCVE-0-2026-4789)
Vulnerability from cvelistv5
Published
2026-03-30 20:44
Modified
2026-04-01 18:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-30T21:18:08.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/655822"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:43:09.447511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:43:50.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kyverno",
"vendor": "Kyverno",
"versions": [
{
"status": "affected",
"version": "1.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:44:00.607Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/kyverno/kyverno"
},
{
"url": "https://kb.cert.org/vuls/id/655822"
},
{
"url": "https://portswigger.net/web-security/ssrf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-4789",
"x_generator": {
"engine": "VINCE 3.0.35",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4789"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-4789",
"datePublished": "2026-03-30T20:44:00.607Z",
"dateReserved": "2026-03-24T20:03:13.388Z",
"dateUpdated": "2026-04-01T18:43:50.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23881 (GCVE-0-2026-23881)
Vulnerability from cvelistv5
Published
2026-01-27 16:10
Modified
2026-01-27 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T16:32:37.256106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T16:33:03.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.15.3"
},
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.16.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno\u0027s policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T16:10:44.376Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq"
},
{
"name": "https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f"
},
{
"name": "https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7"
}
],
"source": {
"advisory": "GHSA-r2rj-wwm5-x6mq",
"discovery": "UNKNOWN"
},
"title": "Kyverno Denial of Service via Context Variable Amplification in Policy Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23881",
"datePublished": "2026-01-27T16:10:44.376Z",
"dateReserved": "2026-01-16T21:02:02.900Z",
"dateUpdated": "2026-01-27T16:33:03.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22039 (GCVE-0-2026-22039)
Vulnerability from cvelistv5
Published
2026-01-27 16:07
Modified
2026-01-27 16:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22039",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T16:41:31.229138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T16:42:49.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.15.3"
},
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.16.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy\u2019s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno\u2019s admission controller identity, targeting any API path allowed by that ServiceAccount\u2019s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T16:07:19.698Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b"
},
{
"name": "https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e"
}
],
"source": {
"advisory": "GHSA-8p9x-46gm-qfx2",
"discovery": "UNKNOWN"
},
"title": "Kyverno Cross-Namespace Privilege Escalation via Policy apiCall"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22039",
"datePublished": "2026-01-27T16:07:19.698Z",
"dateReserved": "2026-01-05T22:30:38.719Z",
"dateUpdated": "2026-01-27T16:42:49.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47281 (GCVE-0-2025-47281)
Vulnerability from cvelistv5
Published
2025-07-23 20:35
Modified
2025-07-23 20:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47281",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T20:49:21.262159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:49:31.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:35:21.199Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq"
},
{
"name": "https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c"
}
],
"source": {
"advisory": "GHSA-r5p3-955p-5ggq",
"discovery": "UNKNOWN"
},
"title": "Kyverno\u0027s Improper JMESPath Variable Evaluation Leads to Denial of Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47281",
"datePublished": "2025-07-23T20:35:21.199Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-07-23T20:49:31.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46342 (GCVE-0-2025-46342)
Vulnerability from cvelistv5
Published
2025-04-30 14:55
Modified
2025-04-30 15:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:10:01.487557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:10:25.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.5"
},
{
"status": "affected",
"version": "\u003e= 1.14.0-alpha.1, \u003c 1.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T14:55:13.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc"
},
{
"name": "https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194"
}
],
"source": {
"advisory": "GHSA-jrr2-x33p-6hvc",
"discovery": "UNKNOWN"
},
"title": "Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46342",
"datePublished": "2025-04-30T14:55:13.124Z",
"dateReserved": "2025-04-22T22:41:54.912Z",
"dateUpdated": "2025-04-30T15:10:25.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29778 (GCVE-0-2025-29778)
Vulnerability from cvelistv5
Published
2025-03-24 16:38
Modified
2025-03-24 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T17:55:17.656781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T17:55:28.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact\u0027s sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T16:38:08.104Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94"
},
{
"name": "https://github.com/kyverno/policies/issues/1246",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/policies/issues/1246"
},
{
"name": "https://github.com/kyverno/kyverno/pull/12237",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/12237"
},
{
"name": "https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60"
},
{
"name": "https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537"
}
],
"source": {
"advisory": "GHSA-46mp-8w32-6g94",
"discovery": "UNKNOWN"
},
"title": "Kyverno ignores subjectRegExp and IssuerRegExp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29778",
"datePublished": "2025-03-24T16:38:08.104Z",
"dateReserved": "2025-03-11T14:23:00.475Z",
"dateUpdated": "2025-03-24T17:55:28.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48921 (GCVE-0-2024-48921)
Vulnerability from cvelistv5
Published
2024-10-29 14:14
Modified
2024-10-29 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. This vulnerability is fixed in 1.13.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48921",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:57:32.532882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:58:36.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. \"disallow-privileged-containers,\" can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:14:36.260Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm"
}
],
"source": {
"advisory": "GHSA-qjvc-p88j-j9rm",
"discovery": "UNKNOWN"
},
"title": "Kyverno\u0027s PolicyException objects can be created in any namespace by default"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-48921",
"datePublished": "2024-10-29T14:14:36.260Z",
"dateReserved": "2024-10-09T22:06:46.173Z",
"dateUpdated": "2024-10-29T14:58:36.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47630 (GCVE-0-2023-47630)
Vulnerability from cvelistv5
Published
2023-11-14 20:59
Modified
2024-11-27 16:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The attacker could then return an vulnerable image to the the user and leverage that to further escalate their position. As such, the attacker would need to know which images the Kyverno user consumes and know of one of multiple exploitable vulnerabilities in previous digests of the images. Alternatively, if the attacker has compromised the registry, they could craft a malicious image with a different digest with intentionally placed vulnerabilities and deliver the image to the user. Users pulling their images by digests and from trusted registries are not impacted by this vulnerability. There is no evidence of this being exploited in the wild. The issue has been patched in 1.10.5. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T16:13:56.239908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:14:09.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The attacker could then return an vulnerable image to the the user and leverage that to further escalate their position. As such, the attacker would need to know which images the Kyverno user consumes and know of one of multiple exploitable vulnerabilities in previous digests of the images. Alternatively, if the attacker has compromised the registry, they could craft a malicious image with a different digest with intentionally placed vulnerabilities and deliver the image to the user. Users pulling their images by digests and from trusted registries are not impacted by this vulnerability. There is no evidence of this being exploited in the wild. The issue has been patched in 1.10.5. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T20:59:46.100Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w"
}
],
"source": {
"advisory": "GHSA-3hfq-cx9j-923w",
"discovery": "UNKNOWN"
},
"title": "Attacker can cause Kyverno user to unintentionally consume insecure image"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47630",
"datePublished": "2023-11-14T20:59:46.100Z",
"dateReserved": "2023-11-07T16:57:49.244Z",
"dateUpdated": "2024-11-27T16:14:09.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42813 (GCVE-0-2023-42813)
Vulnerability from cvelistv5
Published
2023-11-13 20:34
Modified
2024-08-02 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:23.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003e= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, \u003c fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T18:50:11.424Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-wc3x-5rfv-hh5v"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"source": {
"advisory": "GHSA-wc3x-5rfv-hh5v",
"discovery": "UNKNOWN"
},
"title": "Denial of service from malicious manifest in kyverno"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42813",
"datePublished": "2023-11-13T20:34:23.826Z",
"dateReserved": "2023-09-14T16:13:33.308Z",
"dateUpdated": "2024-08-02T19:30:23.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42814 (GCVE-0-2023-42814)
Vulnerability from cvelistv5
Published
2023-11-13 20:34
Modified
2024-08-02 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003e= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, \u003c fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T18:51:24.873Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-9g37-h7p2-2c6r"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"source": {
"advisory": "GHSA-9g37-h7p2-2c6r",
"discovery": "UNKNOWN"
},
"title": "Denial of service from malicious image manifest in kyverno"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42814",
"datePublished": "2023-11-13T20:34:05.257Z",
"dateReserved": "2023-09-14T16:13:33.308Z",
"dateUpdated": "2024-08-02T19:30:24.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42815 (GCVE-0-2023-42815)
Vulnerability from cvelistv5
Published
2023-11-13 20:33
Modified
2024-08-02 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003e= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, \u003c fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T18:53:14.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hjpv-68f4-2262"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"source": {
"advisory": "GHSA-hjpv-68f4-2262",
"discovery": "UNKNOWN"
},
"title": "Denial of service from malicious image manifest in kyverno"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42815",
"datePublished": "2023-11-13T20:33:24.955Z",
"dateReserved": "2023-09-14T16:13:33.308Z",
"dateUpdated": "2024-08-02T19:30:24.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42816 (GCVE-0-2023-42816)
Vulnerability from cvelistv5
Published
2023-11-13 20:23
Modified
2024-08-02 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003e= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, \u003c fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T18:54:09.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"source": {
"advisory": "GHSA-4mp4-46gq-hv3r",
"discovery": "UNKNOWN"
},
"title": "Denial of service from malicious signature in kyverno"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42816",
"datePublished": "2023-11-13T20:23:16.248Z",
"dateReserved": "2023-09-14T16:13:33.308Z",
"dateUpdated": "2024-08-02T19:30:24.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34091 (GCVE-0-2023-34091)
Vulnerability from cvelistv5
Published
2023-06-01 16:24
Modified
2025-01-08 21:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc"
},
{
"name": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T21:32:38.963338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:32:51.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-01T16:24:53.920Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc"
},
{
"name": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/releases/tag/v1.10.0"
}
],
"source": {
"advisory": "GHSA-hq4m-4948-64cc",
"discovery": "UNKNOWN"
},
"title": "Kyverno resource with a deletionTimestamp may allow policy circumvention"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34091",
"datePublished": "2023-06-01T16:24:53.920Z",
"dateReserved": "2023-05-25T21:56:51.244Z",
"dateUpdated": "2025-01-08T21:32:51.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33191 (GCVE-0-2023-33191)
Vulnerability from cvelistv5
Published
2023-05-30 06:06
Modified
2025-01-10 19:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c"
},
{
"name": "https://github.com/kyverno/kyverno/pull/7263",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/pull/7263"
},
{
"name": "https://github.com/kyverno/kyverno/releases/tag/v1.9.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/releases/tag/v1.9.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T19:00:22.599496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T19:00:31.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.2, \u003c 1.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T06:06:14.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c"
},
{
"name": "https://github.com/kyverno/kyverno/pull/7263",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/7263"
},
{
"name": "https://github.com/kyverno/kyverno/releases/tag/v1.9.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/releases/tag/v1.9.4"
}
],
"source": {
"advisory": "GHSA-33hq-f2mf-jm3c",
"discovery": "UNKNOWN"
},
"title": "kyverno seccomp control can be circumvented"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33191",
"datePublished": "2023-05-30T06:06:14.987Z",
"dateReserved": "2023-05-17T22:25:50.699Z",
"dateUpdated": "2025-01-10T19:00:31.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}