Kyverno resource with a deletionTimestamp may allow policy circumvention
Description
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the deletionTimestamp field defined can bypass validate, generate, or mutate-existing policies, even in cases where the validationFailureAction field is set to Enforce. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the deletionTimestamp and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kyverno/kyvernoGo | < 1.10.0 | 1.10.0 |
Affected products
28- osv-coords27 versionspkg:apk/chainguard/kyvernopkg:apk/chainguard/kyverno-background-controllerpkg:apk/chainguard/kyverno-background-controller-fipspkg:apk/chainguard/kyverno-background-controller-fips-1.11pkg:apk/chainguard/kyverno-cleanup-controllerpkg:apk/chainguard/kyverno-cleanup-controller-fipspkg:apk/chainguard/kyverno-cleanup-controller-fips-1.11pkg:apk/chainguard/kyverno-clipkg:apk/chainguard/kyverno-cli-fipspkg:apk/chainguard/kyverno-cli-fips-1.11pkg:apk/chainguard/kyverno-fipspkg:apk/chainguard/kyverno-fips-1.11pkg:apk/chainguard/kyverno-init-containerpkg:apk/chainguard/kyverno-init-container-fipspkg:apk/chainguard/kyverno-init-container-fips-1.11pkg:apk/chainguard/kyverno-policy-reporter-kyverno-plugin-1.5pkg:apk/chainguard/kyverno-policy-reporter-kyverno-plugin-1.5-compatpkg:apk/chainguard/kyverno-reports-controllerpkg:apk/chainguard/kyverno-reports-controller-fipspkg:apk/chainguard/kyverno-reports-controller-fips-1.11pkg:apk/wolfi/kyvernopkg:apk/wolfi/kyverno-background-controllerpkg:apk/wolfi/kyverno-cleanup-controllerpkg:apk/wolfi/kyverno-clipkg:apk/wolfi/kyverno-init-containerpkg:apk/wolfi/kyverno-reports-controllerpkg:golang/github.com/kyverno/kyverno
< 0+ 26 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-hq4m-4948-64ccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34091ghsaADVISORY
- github.com/kyverno/kyverno/releases/tag/v1.10.0ghsax_refsource_MISCWEB
- github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64ccghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.