Improper Authorization Affecting kyverno-notation-aws-fips package, versions <1.1-r11
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CHAINGUARDLATEST-KYVERNONOTATIONAWSFIPS-9525671
- published27 Mar 2025
- disclosed24 Mar 2025
Introduced: 24 Mar 2025
NewCVE-2025-29778 (opens in a new tab)How to fix?
Upgrade Chainguard kyverno-notation-aws-fips to version 1.1-r11 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kyverno-notation-aws-fips package and not the kyverno-notation-aws-fips package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.
References
- https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537
- https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
- https://github.com/kyverno/kyverno/pull/12237
- https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
- https://github.com/kyverno/policies/issues/1246