CVE-2023-33191: kyverno seccomp control can be circumvented

May 25, 2023

Impact

Users of the podSecurity (validate.podSecurity) subrule in Kyverno 1.9. See the documentation for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected.

Patches

v1.9.4 v1.10.0

Workarounds

To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline here and restricted here.

References

https://kyverno.io/docs/writing-policies/validate/#pod-security
https://github.com/kyverno/kyverno/pull/7263

References

github.com/advisories/GHSA-33hq-f2mf-jm3c
github.com/kyverno/kyverno/pull/7263
github.com/kyverno/kyverno/releases/tag/v1.9.4
github.com/kyverno/kyverno/security/advisories/GHSA-33hq-f2mf-jm3c

Code Behaviors & Features

Detect and mitigate CVE-2023-33191 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →