x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-47630 #2340
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
rolandshoemaker
added
the
excluded: EFFECTIVELY_PRIVATE
|
Change https://go.dev/cl/544095 mentions this issue: |
|
Change https://go.dev/cl/592763 mentions this issue: |
|
Change https://go.dev/cl/606793 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-2340.yaml - data/reports/GO-2023-2341.yaml - data/reports/GO-2023-2344.yaml - data/reports/GO-2023-2351.yaml - data/reports/GO-2023-2355.yaml - data/reports/GO-2023-2376.yaml - data/reports/GO-2023-2377.yaml - data/reports/GO-2023-2378.yaml - data/reports/GO-2023-2381.yaml - data/reports/GO-2023-2388.yaml - data/reports/GO-2023-2397.yaml - data/reports/GO-2023-2398.yaml - data/reports/GO-2023-2414.yaml - data/reports/GO-2023-2422.yaml - data/reports/GO-2023-2426.yaml Updates #2340 Updates #2341 Updates #2344 Updates #2351 Updates #2355 Updates #2376 Updates #2377 Updates #2378 Updates #2381 Updates #2388 Updates #2397 Updates #2398 Updates #2414 Updates #2422 Updates #2426 Change-Id: I279f769375f27873ced76b136c88665f610ac68c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606793 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
This was referenced Oct 29, 2024
Closed
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
CVE-2023-47630 references github.com/kyverno/kyverno, which may be a Go module.
Description:
Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The attacker could then return an vulnerable image to the the user and leverage that to further escalate their position. As such, the attacker would need to know which images the Kyverno user consumes and know of one of multiple exploitable vulnerabilities in previous digests of the images. Alternatively, if the attacker has compromised the registry, they could craft a malicious image with a different digest with intentionally placed vulnerabilities and deliver the image to the user. Users pulling their images by digests and from trusted registries are not impacted by this vulnerability. There is no evidence of this being exploited in the wild. The issue has been patched in 1.10.5. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: