CVE-2022-47633: kyverno verifyImages rule bypass possible with malicious proxy/registry
(updated )
Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.
References
- github.com/advisories/GHSA-m3cq-xcx9-3gvm
- github.com/kyverno/kyverno
- github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5
- github.com/kyverno/kyverno/pull/5713
- github.com/kyverno/kyverno/releases/tag/v1.8.5
- github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
- kyverno.io/docs/writing-policies/verify-images
- kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
- nvd.nist.gov/vuln/detail/CVE-2022-47633
- pkg.go.dev/vuln/GO-2022-1180
- web.archive.org/web/20230426095744/https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
Code Behaviors & Features
Detect and mitigate CVE-2022-47633 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →