CVE-2022-47633
published 2022-12-23CVE-2022-47633: An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject…
PriorityP345high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.96%
57.0th percentile
An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 1.8.3 < 1.8.5 | 1.8.5 |
| kyverno | kyverno | — | — |
| kyverno | kyverno | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Verification rule bypass in github.com/kyverno/kyverno
osv·2022-12-27
CVE-2022-47633 Verification rule bypass in github.com/kyverno/kyverno
Verification rule bypass in github.com/kyverno/kyverno
A malicious proxy/registry can bypass verifyImages rules.
GHSA
kyverno verifyImages rule bypass possible with malicious proxy/registry
ghsa·2022-12-21
CVE-2022-47633 [HIGH] CWE-287 kyverno verifyImages rule bypass possible with malicious proxy/registry
kyverno verifyImages rule bypass possible with malicious proxy/registry
### Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use `verifyImages` rules to verify container image signatures, and do not prevent use of unknown registries.
### Patches
This issue has been fixed in version [1.8.5](https://github.com/kyverno/kyverno/releases/tag/v1.8.5)
### Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries ([sample](https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/)).
### References
OSV
kyverno verifyImages rule bypass possible with malicious proxy/registry
osv·2022-12-21
CVE-2022-47633 [HIGH] kyverno verifyImages rule bypass possible with malicious proxy/registry
kyverno verifyImages rule bypass possible with malicious proxy/registry
### Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use `verifyImages` rules to verify container image signatures, and do not prevent use of unknown registries.
### Patches
This issue has been fixed in version [1.8.5](https://github.com/kyverno/kyverno/releases/tag/v1.8.5)
### Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries ([sample](https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/)).
### References
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5https://github.com/kyverno/kyverno/pull/5713https://github.com/kyverno/kyverno/releases/tag/v1.8.5https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvmhttps://kyverno.io/docs/writing-policies/verify-images/https://github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5https://github.com/kyverno/kyverno/pull/5713https://github.com/kyverno/kyverno/releases/tag/v1.8.5https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvmhttps://kyverno.io/docs/writing-policies/verify-images/
2022-12-23
Published