VDB
CISA-2025-29778
CISA-2025-29778
PUBLISHED
CVSS 5.8 MEDIUM
Reported by GitHub_M · Published March 24, 2025
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.
Risk Scores
CVSS 3.1
5.8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| kyverno | kyverno | < 1.14.0-alpha.1 |
| kyverno | kyverno | < 1.14.0-alpha.1, < 1.14.0-alpha.1 |
Timeline
- Mar 24, 2025 CVE Published
- Mar 24, 2025 CVE Updated
References
- https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94 x_refsource_CONFIRM
- https://github.com/kyverno/policies/issues/1246 x_refsource_MISC
- https://github.com/kyverno/kyverno/pull/12237 x_refsource_MISC
- https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60 x_refsource_MISC
- https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537 x_refsource_MISC