x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-qjvc-p88j-j9rm

[GoVulnBot]

Advisory GHSA-qjvc-p88j-j9rm references a vulnerability in the following Go modules:

Module
github.com/kyverno/kyverno

Description:

Summary

A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace.

Details

By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions.

PoC

1. Administrator creates "disallow-privileged-containers" ClusterPolicy that applies to resources in the namespace "ubuntu-restricted"
2. Cluster user creates a PolicyException object for "disallow-privileged-containers" in namespace "ubuntu-re...

References:

• ADVISORY: GHSA-qjvc-p88j-j9rm
• ADVISORY: GHSA-qjvc-p88j-j9rm

Cross references:

• github.com/kyverno/kyverno appears in 9 other report(s):
  • data/reports/GO-2022-1180.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-m3cq-xcx9-3gvm #1180)
  • data/reports/GO-2023-1801.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-33191 #1801)
  • data/reports/GO-2023-1804.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-hgv6-w7r3-w4qw #1804)
  • data/reports/GO-2023-1819.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-34091 #1819)
  • data/reports/GO-2023-2335.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42813 #2335)
  • data/reports/GO-2023-2336.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42814 #2336)
  • data/reports/GO-2023-2337.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42815 #2337)
  • data/reports/GO-2023-2338.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42816 #2338)
  • data/reports/GO-2023-2340.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-47630 #2340)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/kyverno/kyverno
      versions:
        - fixed: 1.13.0
      vulnerable_at: 1.13.0-rc.3
summary: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno
cves:
    - CVE-2024-48921
ghsas:
    - GHSA-qjvc-p88j-j9rm
references:
    - advisory: https://github.com/advisories/GHSA-qjvc-p88j-j9rm
    - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm
source:
    id: GHSA-qjvc-p88j-j9rm
    created: 2024-10-29T15:01:29.790043987Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/623695 mentions this issue: data/reports: add GO-2024-3230