CVE-2023-33191
published 2023-05-30CVE-2023-33191: Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in…
PriorityP346high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.48%
38.1th percentile
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 1.9.2 < 1.9.4 | 1.9.4 |
| kyverno | kyverno | — | — |
| nirmata | kyverno | >= 1.9.2 < 1.9.4 | 1.9.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
kyverno seccomp control can be circumvented in github.com/kyverno/kyverno
osv·2024-08-20
CVE-2023-33191 kyverno seccomp control can be circumvented in github.com/kyverno/kyverno
kyverno seccomp control can be circumvented in github.com/kyverno/kyverno
kyverno seccomp control can be circumvented in github.com/kyverno/kyverno
OSV
kyverno seccomp control can be circumvented
osv·2023-05-25
CVE-2023-33191 [MEDIUM] kyverno seccomp control can be circumvented
kyverno seccomp control can be circumvented
### Impact
Users of the podSecurity (`validate.podSecurity`) subrule in Kyverno versions v1.9.2 and v1.9.3 may be unable to enforce the check for the Seccomp control at the baseline level when using a `version` value of `latest`. There is no effect if a version number is referenced instead. See the [documentation](https://kyverno.io/docs/writing-policies/validate/#pod-security) for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected.
### Patches
v1.9.4
v1.10.0
### Workarounds
To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline [here](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) and r
GHSA
kyverno seccomp control can be circumvented
ghsa·2023-05-25
CVE-2023-33191 [MEDIUM] CWE-284 kyverno seccomp control can be circumvented
kyverno seccomp control can be circumvented
### Impact
Users of the podSecurity (`validate.podSecurity`) subrule in Kyverno versions v1.9.2 and v1.9.3 may be unable to enforce the check for the Seccomp control at the baseline level when using a `version` value of `latest`. There is no effect if a version number is referenced instead. See the [documentation](https://kyverno.io/docs/writing-policies/validate/#pod-security) for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected.
### Patches
v1.9.4
v1.10.0
### Workarounds
To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline [here](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) and r
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/kyverno/kyverno/pull/7263https://github.com/kyverno/kyverno/releases/tag/v1.9.4https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3chttps://github.com/kyverno/kyverno/pull/7263https://github.com/kyverno/kyverno/releases/tag/v1.9.4https://github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c
2023-05-30
Published