Upstream information
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CNA (GitHub) | SUSE | |
|---|---|---|
| Base Score | 5.8 | 5.8 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N |
| Attack Vector | Network | Network |
| Attack Complexity | High | High |
| Privileges Required | High | High |
| User Interaction | None | None |
| Scope | Changed | Changed |
| Confidentiality Impact | None | None |
| Integrity Impact | High | High |
| Availability Impact | None | None |
| CVSSv3 Version | 3.1 | 3.1 |
SUSE Timeline for this CVE
CVE page created: Mon Mar 24 20:01:32 2025CVE page last modified: Tue Mar 25 14:10:30 2025