GHSA-m43g-m425-p68x: junit-platform-reporting can leak Git credentials through its OpenTestReportGeneratingListener 

GHSA-hc55-p739-j48w: @modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix

GHSA-q66q-fx2p-7w4m: @modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling

GHSA-h34r-jxqm-qgpr: juju/utils leaks private key in certs

GHSA-xg8h-j46f-w952: Pillow vulnerability can cause write buffer overflow on BCn encoding

### Impact

Users of Kyverno on versions 1.8.3 or 1.8.4 who use `verifyImages` rules to verify container image signatures, and do not prevent use of unknown registries.

### Patches

This issue has been fixed in version [1.8.5](https://github.com/kyverno/kyverno/releases/tag/v1.8.5)

### Workarounds

Configure a Kyverno policy to restrict registries to a set of secure trusted image registries ([sample](https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/)).

### References




**Bypass of verifyImages rule possible with malicious proxy/registry**

High severity GitHub Reviewed Published Dec 21, 2022 in kyverno/kyverno • Updated Dec 21, 2022

Headline

GHSA-m3cq-xcx9-3gvm: Bypass of verifyImages rule possible with malicious proxy/registry

Impact

Patches

Workarounds

References

ghsa: Latest News