Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tM2NxLXhjeDktM2d2bc4AAweX
kyverno verifyImages rule bypass possible with malicious proxy/registry
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages
rules to verify container image signatures, and do not prevent use of unknown registries.
Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).
Permalink: Referenceshttps://github.com/advisories/GHSA-m3cq-xcx9-3gvm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tM2NxLXhjeDktM2d2bc4AAweX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 3 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-m3cq-xcx9-3gvm, CVE-2022-47633
References:
- https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
- https://github.com/kyverno/kyverno/pull/5713
- https://github.com/kyverno/kyverno/releases/tag/v1.8.5
- https://nvd.nist.gov/vuln/detail/CVE-2022-47633
- https://github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5
- https://kyverno.io/docs/writing-policies/verify-images/
- https://pkg.go.dev/vuln/GO-2022-1180
- https://web.archive.org/web/20230426095744/https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/
- https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
- https://github.com/advisories/GHSA-m3cq-xcx9-3gvm
Blast Radius: 9.8
Affected Packages
go:github.com/kyverno/kyverno
Dependent packages: 21Dependent repositories: 16
Downloads:
Affected Version Ranges: >= 1.8.3, < 1.8.5
Fixed in: 1.8.5
All affected versions: 1.8.3, 1.8.4
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.10, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.8.0, 1.8.1, 1.8.2, 1.8.5, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0