Headline
CVE-2023-33191: fix: PSa latest version check by realshuting · Pull Request #7263 · kyverno/kyverno
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity validate.podSecurity subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
otherwise whatever the first version of check is applied. i.e., when a check has two versions of implementation, say 1.10 and 1.19, 1.10 will be applied as it is the first check in the array.
Shouldn’t latest be synonymous with the most recent version, which should be 1.19?
No, we check the literal string latest. The latest always refers to the latest kubernetes version, even if the check is GA in 1.19, the latest can be 1.27, which is the latest Kubernetes version as of now.
Related news
### Impact Users of the podSecurity (`validate.podSecurity`) subrule in Kyverno 1.9. See the [documentation](https://kyverno.io/docs/writing-policies/validate/#pod-security) for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected. ### Patches v1.9.4 v1.10.0 ### Workarounds To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline [here](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) and restricted [here](https://kyverno.io/policies/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict/). ### References * https://kyverno.io/docs/writing-policies/validate/#pod-security * https://github.com/kyverno/kyverno/pull/7263