Insufficient Verification Of Data Authenticity

2023-11-1606:01:47

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

kyverno

vulnerability

image digest

attacker

registry

compromise

escalation

attacks

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

github.com/kyverno/kyverno is vulnerable to Insufficient Verification Of Data Authenticity. The vulnerability allows an attacker to control the digest of images used by Kyverno users. To exploit this issue, the attacker would need to compromise the registry from which Kyverno fetches its images. Once compromised, the attacker could provide a vulnerable image to the user and leverage it to further escalate their position or carry out additional attacks.