<p>Upgrade <code>github.com/kyverno/kyverno/cmd/internal</code> to version 1.13.0 or higher.</p>

internal package, versions <1.13.0

Threat Intelligence

Proof of concept

0.05% (16^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GITHUBCOMKYVERNOKYVERNOCMDINTERNAL-8310958
published 31 Oct 2024
disclosed 30 Oct 2024
credit Joel Eidsath

Report a new vulnerability Found a mistake?

Introduced: 30 Oct 2024

New CVE-2024-48921 Open this link in a new tab CWE-285 Open this link in a new tab

How to fix?

Upgrade github.com/kyverno/kyverno/cmd/internal to version 1.13.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Authorization due to the default configuration that allows the creation of PolicyException objects in any namespace. An attacker with privileges to non-kyverno namespaces can bypass intended security policies by exploiting this misconfiguration.

PoC

Administrator creates "disallow-privileged-containers" ClusterPolicy that applies to resources in the namespace "ubuntu-restricted"
Cluster user creates a PolicyException object for "disallow-privileged-containers" in namespace "ubuntu-restricted"
Cluster user creates a pod with a privileged container in "ubuntu-restricted"
Cluster user escalates to root on the node from the privileged container

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)

Adjacent
Attack Complexity (AC)

High
Attack Requirements (AT)

Present
Privileges Required (PR)

High
User Interaction (UI)

Active

Confidentiality (VC)

High
Integrity (VI)

Low
Availability (VA)

Low

Confidentiality (SC)

Low
Integrity (SI)

High
Availability (SA)

Low