CVE-2023-34091
published 2023-06-01CVE-2023-34091: Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.50%
38.8th percentile
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 0 < 1.10.0 | 1.10.0 |
| kyverno | kyverno | < 1.10.0 | 1.10.0 |
| nirmata | kyverno | < 1.10.0 | 1.10.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno
osv·2024-08-20
CVE-2023-34091 Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno
Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno
Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno
OSV
Kyverno resource with a deletionTimestamp may allow policy circumvention
osv·2023-06-05
CVE-2023-34091 [MEDIUM] Kyverno resource with a deletionTimestamp may allow policy circumvention
Kyverno resource with a deletionTimestamp may allow policy circumvention
### Impact
In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`.
This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted.
However, this could potentially result in allowing a malicious user to leverage the [Kubernetes finalizers feature](https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/) by setting a finalizer which causes the Kubernetes API server to set the `de
GHSA
Kyverno resource with a deletionTimestamp may allow policy circumvention
ghsa·2023-06-05
CVE-2023-34091 [MEDIUM] CWE-285 Kyverno resource with a deletionTimestamp may allow policy circumvention
Kyverno resource with a deletionTimestamp may allow policy circumvention
### Impact
In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`.
This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted.
However, this could potentially result in allowing a malicious user to leverage the [Kubernetes finalizers feature](https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/) by setting a finalizer which causes the Kubernetes API server to set the `de
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-06-01
Published