Lucene search

MitreCVE-2022-47633

HistoryDec 23, 2022 - 11:15 p.m.

CVE-2022-47633

2022-12-2323:15:08

CWE-287

mitre

web.nvd.nist.gov

cve-2022-47633

image signature

validation bypass

kyverno

kubernetes

vulnerability

nvd

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

58.7%

JSON

An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases.

Affected configurations

Nvd

Node

kyvernokyvernoMatch1.8.3

kyvernokyvernoMatch1.8.4

VendorProductVersionCPE
kyvernokyverno1.8.3cpe:2.3:a:kyverno:kyverno:1.8.3:*:*:*:*:*:*:*
kyvernokyverno1.8.4cpe:2.3:a:kyverno:kyverno:1.8.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kyverno	kyverno	1.8.3	cpe:2.3:a:kyverno:kyverno:1.8.3:::::::*
kyverno	kyverno	1.8.4	cpe:2.3:a:kyverno:kyverno:1.8.4:::::::*

References

github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5

github.com/kyverno/kyverno/pull/5713

github.com/kyverno/kyverno/releases/tag/v1.8.5

github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm

kyverno.io/docs/writing-policies/verify-images/

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

58.7%

JSON

Related for CVE-2022-47633