CVE-2025-46342
published 2025-04-30CVE-2025-46342: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using…
PriorityP349high8.2CVSS 3.1
AVNACHPRLUINSCCNIHAH
EPSS
0.62%
45.1th percentile
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 0 < 1.13.5 | 1.13.5 |
| github.com | kyverno_kyverno | >= 1.14.0-alpha.1 < 1.14.0 | 1.14.0 |
| kyverno | kyverno | < 1.13.5 | 1.13.5 |
| kyverno | kyverno | <= 1.11.5 | — |
| kyverno | kyverno | — | — |
| kyverno | kyverno | >= 1.12.0 < 1.13.5 | 1.13.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements in github.com/kyverno/kyverno
osv·2025-05-05
CVE-2025-46342 Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements in github.com/kyverno/kyverno
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements in github.com/kyverno/kyverno
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements in github.com/kyverno/kyverno
GHSA
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
ghsa·2025-04-29
CVE-2025-46342 [HIGH] CWE-1287 Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
### Summary
Due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go` it may happen that policy rules using namespace selector(s) in their `match` statements are mistakenly not applied during admission review request processing. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations.
### Details
As a policy engine Kyverno is a critical component ensuring the security of Kubernetes clusters by apply security-relevant policy rules in the Kubernetes admission control process.
We encountered a case where Kyverno did not apply polic
OSV
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
osv·2025-04-29
CVE-2025-46342 [HIGH] Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements
### Summary
Due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go` it may happen that policy rules using namespace selector(s) in their `match` statements are mistakenly not applied during admission review request processing. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations.
### Details
As a policy engine Kyverno is a critical component ensuring the security of Kubernetes clusters by apply security-relevant policy rules in the Kubernetes admission control process.
We encountered a case where Kyverno did not apply polic
No detection rules found.
No public exploits indexed.
2025-04-30
Published