Bypass of verifyImages rule possible with malicious proxy/registry
High
chipzoller
published
GHSA-m3cq-xcx9-3gvmDec 21, 2022
Package
Kyverno
(Kyverno)
Affected versions
1.8.3-1.8.4
Patched versions
1.8.5
Description
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.
Impact
Users of Kyverno on versions 1.8.3 or 1.8.4 who use
verifyImagesrules to verify container image signatures, and do not prevent use of unknown registries.Patches
This issue has been fixed in version 1.8.5
Workarounds
Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).
References