CVE-2025-46342

Опубликовано: 30 апр. 2025

Источник: nvd

CVSS3: 8.5

CVSS3: 8.2

EPSS Низкий

Описание

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.

Ссылки

https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194
Patch
https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*

Версия до 1.11.5 (включая)

cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*

Версия от 1.12.0 (включая) до 1.13.5 (исключая)

EPSS

Процентиль: 34%

0.00139

Низкий

8.5 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-1287

NVD-CWE-noinfo

Связанные уязвимости

GHSA-jrr2-x33p-6hvc

CVSS3: 8.5

github

9 месяцев назад

Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements

EPSS

Процентиль: 34%

0.00139

Низкий

8.5 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-1287

NVD-CWE-noinfo