Headline
GHSA-33hq-f2mf-jm3c: kyverno seccomp control can be circumvented
Impact
Users of the podSecurity (validate.podSecurity) subrule in Kyverno 1.9. See the documentation for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected.
Patches
v1.9.4 v1.10.0
Workarounds
To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline here and restricted here.
References
- https://kyverno.io/docs/writing-policies/validate/#pod-security
- https://github.com/kyverno/kyverno/pull/7263
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-33191
kyverno seccomp control can be circumvented
Moderate severity GitHub Reviewed Published May 25, 2023 in kyverno/kyverno
Package
gomod github.com/kyverno/kyverno (Go)
Affected versions
>= 1.9.2, < 1.9.4
Description
Published to the GitHub Advisory Database
May 25, 2023
GHSA ID
GHSA-33hq-f2mf-jm3c
Source code
Related news
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.