CVE-2023-33191: kyverno seccomp control can be circumvented
Impact
Users of the podSecurity (validate.podSecurity
) subrule in Kyverno 1.9. See the documentation for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected.
Patches
v1.9.4 v1.10.0
Workarounds
To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline here and restricted here.
References
- https://kyverno.io/docs/writing-policies/validate/#pod-security
- https://github.com/kyverno/kyverno/pull/7263
References
Detect and mitigate CVE-2023-33191 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →