CVE-2025-29778

Published: Mar 24, 2025Modified: Aug 1, 2025

8.0

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 1.3 / Impact: 6.0

Source: NVD

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

Affected (1)

Products: Kyverno: Kyverno

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kyverno Kyverno	From 1.13.0 to 1.13.6

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (5)

https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537

Source: security-advisories@github.com

Product

https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60

Source: security-advisories@github.com

Patch

https://github.com/kyverno/kyverno/pull/12237

Source: security-advisories@github.com

Issue Tracking

https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/kyverno/policies/issues/1246

Source: security-advisories@github.com

ExploitIssue Tracking

Timeline

No history available yet.