GMS-2022-8623: Bypass of verifyImages rule possible with malicious proxy/registry

December 21, 2022

Users of Kyverno on versions 1.8.3 or 1.8.4 who use verifyImages rules to verify container image signatures, and do not prevent use of unknown registries.

References

github.com/advisories/GHSA-m3cq-xcx9-3gvm
github.com/kyverno/kyverno/pull/5713
github.com/kyverno/kyverno/releases/tag/v1.8.5
github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/

Code Behaviors & Features

Detect and mitigate GMS-2022-8623 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →