CVE-2022-35930

Published: Aug 4, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.

Vendor	Product	Versions
sigstore	policy-controller	affected `< 0.2.1`

Weaknesses (CWE)

CWE-347

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/sigstore/policy-controller/security/advisories/GHSA-739f-hw6h-7wq8

x_refsource_CONFIRM

https://github.com/sigstore/policy-controller/commit/e852af36fb7d42678b21d7e97503c25bd1fd05c8

x_refsource_MISC

https://github.com/sigstore/policy-controller/releases/tag/v0.2.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-35930

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References