GHSA-m3cq-xcx9-3gvm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m3cq-xcx9-3gvm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-m3cq-xcx9-3gvm/GHSA-m3cq-xcx9-3gvm.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-m3cq-xcx9-3gvm
- Aliases
- Related
- Published
- 2022-12-21T17:24:10Z
- Modified
- 2023-11-01T05:00:31.158350Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- kyverno verifyImages rule bypass possible with malicious proxy/registry
- Details
-
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use
verifyImagesrules to verify container image signatures, and do not prevent use of unknown registries.Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).
References
- Database specific
{ "nvd_published_at": "2022-12-23T23:15:00Z", "cwe_ids": [ "CWE-287" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-21T17:24:10Z" }- References
-
- https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
- https://nvd.nist.gov/vuln/detail/CVE-2022-47633
- https://github.com/kyverno/kyverno/pull/5713
- https://github.com/kyverno/kyverno
- https://github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5
- https://github.com/kyverno/kyverno/releases/tag/v1.8.5
- https://kyverno.io/docs/writing-policies/verify-images
- https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
- https://pkg.go.dev/vuln/GO-2022-1180
- https://web.archive.org/web/20230426095744/https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
Affected packages
Go / github.com/kyverno/kyverno
Package
- Name
- github.com/kyverno/kyverno
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/kyverno/kyverno