CVE-2023-42816 (GCVE-0-2023-42816)
Vulnerability from cvelistv5 – Published: 2023-11-13 20:23 – Updated: 2024-08-02 19:30
VLAI?
Title
Denial of service from malicious signature in kyverno
Summary
Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.
Severity ?
6.1 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003e= 80d139bb5d1d9d7e907abe851b97dc73821a5be2, \u003c fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T18:54:09.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r"
},
{
"name": "https://github.com/kyverno/kyverno/pull/8428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/pull/8428"
},
{
"name": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2"
},
{
"name": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b"
}
],
"source": {
"advisory": "GHSA-4mp4-46gq-hv3r",
"discovery": "UNKNOWN"
},
"title": "Denial of service from malicious signature in kyverno"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42816",
"datePublished": "2023-11-13T20:23:16.248Z",
"dateReserved": "2023-09-14T16:13:33.308Z",
"dateUpdated": "2024-08-02T19:30:24.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nirmata:kyverno:1.11.0:-:*:*:*:go:*:*\", \"matchCriteriaId\": \"60D64C55-D7D4-4EAC-8A8F-2611CABBECDA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.\"}, {\"lang\": \"es\", \"value\": \"Kyverno es un motor de pol\\u00edticas dise\\u00f1ado para Kubernetes. Se encontr\\u00f3 una vulnerabilidad de seguridad en Kyverno donde un atacante podr\\u00eda provocar la denegaci\\u00f3n de servicio de Kyverno. La vulnerabilidad estaba en el verificador de Kyvernos Notary. Un atacante necesitar\\u00eda controlar el registro del que Kyverno obtendr\\u00eda firmas. Con tal posici\\u00f3n, el atacante podr\\u00eda devolver una respuesta maliciosa a Kyverno, cuando Kyverno enviar\\u00eda una solicitud al registro. La respuesta maliciosa provocar\\u00eda la denegaci\\u00f3n de servicio de Kyverno, de modo que se bloquear\\u00eda el procesamiento de las solicitudes de admisi\\u00f3n de otros usuarios. Esta es una vulnerabilidad en un nuevo componente lanzado en la versi\\u00f3n 1.11.0. Los \\u00fanicos usuarios afectados por esto son aquellos que han estado compilando Kyverno desde la fuente en la sucursal principal, lo cual no es recomendable. Los usuarios que consumen versiones oficiales de Kyverno no se ven afectados. No se conocen casos de explotaci\\u00f3n de esta vulnerabilidad en la naturaleza.\"}]",
"id": "CVE-2023-42816",
"lastModified": "2024-11-21T08:23:16.373",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}]}",
"published": "2023-11-13T21:15:08.127",
"references": "[{\"url\": \"https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/kyverno/kyverno/pull/8428\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/kyverno/kyverno/pull/8428\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-345\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-42816\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-11-13T21:15:08.127\",\"lastModified\":\"2024-11-21T08:23:16.373\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch signatures. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users\u0027 admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.\"},{\"lang\":\"es\",\"value\":\"Kyverno es un motor de pol\u00edticas dise\u00f1ado para Kubernetes. Se encontr\u00f3 una vulnerabilidad de seguridad en Kyverno donde un atacante podr\u00eda provocar la denegaci\u00f3n de servicio de Kyverno. La vulnerabilidad estaba en el verificador de Kyvernos Notary. Un atacante necesitar\u00eda controlar el registro del que Kyverno obtendr\u00eda firmas. Con tal posici\u00f3n, el atacante podr\u00eda devolver una respuesta maliciosa a Kyverno, cuando Kyverno enviar\u00eda una solicitud al registro. La respuesta maliciosa provocar\u00eda la denegaci\u00f3n de servicio de Kyverno, de modo que se bloquear\u00eda el procesamiento de las solicitudes de admisi\u00f3n de otros usuarios. Esta es una vulnerabilidad en un nuevo componente lanzado en la versi\u00f3n 1.11.0. Los \u00fanicos usuarios afectados por esto son aquellos que han estado compilando Kyverno desde la fuente en la sucursal principal, lo cual no es recomendable. Los usuarios que consumen versiones oficiales de Kyverno no se ven afectados. No se conocen casos de explotaci\u00f3n de esta vulnerabilidad en la naturaleza.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nirmata:kyverno:1.11.0:-:*:*:*:go:*:*\",\"matchCriteriaId\":\"60D64C55-D7D4-4EAC-8A8F-2611CABBECDA\"}]}]}],\"references\":[{\"url\":\"https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kyverno/kyverno/pull/8428\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/kyverno/kyverno/commit/80d139bb5d1d9d7e907abe851b97dc73821a5be2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kyverno/kyverno/commit/fec2992e3f9fcd6b9c62267522c09b182e7df73b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kyverno/kyverno/pull/8428\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kyverno/kyverno/security/advisories/GHSA-4mp4-46gq-hv3r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…