Skip to content

Bypass of verifyImages rule possible with malicious proxy/registry

High
chipzoller published GHSA-m3cq-xcx9-3gvm Dec 21, 2022

Package

Kyverno (Kyverno)

Affected versions

1.8.3-1.8.4

Patched versions

1.8.5

Description

Impact

Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.

Patches

This issue has been fixed in version 1.8.5

Workarounds

Configure a Kyverno policy to restrict registries to a set of secure trusted image registries (sample).

References

Severity

High

CVE ID

CVE-2022-47633

Weaknesses

No CWEs

Credits