GoogleOSV:GHSA-M3CQ-XCX9-3GVMkyverno verifyImages rule bypass possible with malicious proxy/registry
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.7%
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.
Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).
References
References
github.com/kyverno/kyverno
github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5
github.com/kyverno/kyverno/pull/5713
github.com/kyverno/kyverno/releases/tag/v1.8.5
github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
kyverno.io/docs/writing-policies/verify-images
kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
nvd.nist.gov/vuln/detail/CVE-2022-47633
pkg.go.dev/vuln/GO-2022-1180
web.archive.org/web/20230426095744/https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.7%