CVE-2025-29778

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537
https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
https://github.com/kyverno/kyverno/pull/12237
https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
https://github.com/kyverno/policies/issues/1246

Configurations

No configuration.

History

27 Mar 2025, 16:45

Type	Values Removed	Values Added
Summary		(es) Kyverno es un motor de políticas diseñado para equipos de ingeniería de plataformas nativas de la nube. Antes de la versión 1.14.0-alpha.1, Kyverno ignoraba subjectRegExp y IssuerRegExp al verificar la firma de artefactos con el modo sin clave. Esto permite al atacante implementar recursos de Kubernetes con artefactos firmados por un certificado inesperado. Implementar estos recursos de Kubernetes no autorizados puede comprometer por completo el clúster de Kubernetes. La versión 1.14.0-alpha.1 incluye un parche para este problema.

24 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-24 17:15

Updated : 2025-03-27 16:45

NVD link : CVE-2025-29778

Mitre link : CVE-2025-29778

CVE.ORG link : CVE-2025-29778

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

{"id": "CVE-2025-29778", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 1.3}]}, "published": "2025-03-24T17:15:20.970", "references": [{"url": "https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537", "source": "security-advisories@github.com"}, {"url": "https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60", "source": "security-advisories@github.com"}, {"url": "https://github.com/kyverno/kyverno/pull/12237", "source": "security-advisories@github.com"}, {"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94", "source": "security-advisories@github.com"}, {"url": "https://github.com/kyverno/policies/issues/1246", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue."}, {"lang": "es", "value": "Kyverno es un motor de pol\u00edticas dise\u00f1ado para equipos de ingenier\u00eda de plataformas nativas de la nube. Antes de la versi\u00f3n 1.14.0-alpha.1, Kyverno ignoraba subjectRegExp y IssuerRegExp al verificar la firma de artefactos con el modo sin clave. Esto permite al atacante implementar recursos de Kubernetes con artefactos firmados por un certificado inesperado. Implementar estos recursos de Kubernetes no autorizados puede comprometer por completo el cl\u00faster de Kubernetes. La versi\u00f3n 1.14.0-alpha.1 incluye un parche para este problema."}], "lastModified": "2025-03-27T16:45:46.410", "sourceIdentifier": "security-advisories@github.com"}