Vulnerability Details : CVE-2023-34091
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-34091
- cpe:2.3:a:nirmata:kyverno:*:*:*:*:*:go:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-34091
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-34091
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-34091
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-34091
-
https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc
A resource with a deletionTimestamp may allow policy circumvention · Advisory · kyverno/kyverno · GitHubVendor Advisory
-
https://github.com/kyverno/kyverno/releases/tag/v1.10.0
Release v1.10.0 · kyverno/kyverno · GitHubRelease Notes
Jump to