QwikSec

Security Database

CVE

CWE

Training

CVE-2025-29778

Published: Mar 24, 2025

Modified: Mar 24, 2025

PUBLISHED

CVSS v3.1

5.8

MEDIUM

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

Vendor	Product	Versions
kyverno	kyverno	affected `< 1.14.0-alpha.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94

x_refsource_CONFIRM

https://github.com/kyverno/policies/issues/1246

x_refsource_MISC

https://github.com/kyverno/kyverno/pull/12237

x_refsource_MISC

https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60

x_refsource_MISC

https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.