FKIE_CVE-2025-47281

Vulnerability from fkie_nvd - Published: 2025-07-23 21:15 - Updated: 2025-08-05 15:51
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Summary
Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2.
References
security-advisories@github.comhttps://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7cPatch
security-advisories@github.comhttps://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggqVendor Advisory, Exploit, Mitigation
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggqVendor Advisory, Exploit, Mitigation
Impacted products
Vendor Product Version
kyverno kyverno *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEDDDB4F-5404-4385-AB85-96A449B748B2",
              "versionEndExcluding": "1.14.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2."
    },
    {
      "lang": "es",
      "value": "Kyverno es un motor de pol\u00edticas dise\u00f1ado para equipos de ingenier\u00eda de plataformas nativas de la nube. En las versiones 1.14.1 y anteriores, existe una vulnerabilidad de denegaci\u00f3n de servicio (DoS) debido al manejo inadecuado de las sustituciones de variables JMESPath. Los atacantes con permisos para crear o actualizar pol\u00edticas de Kyverno pueden manipular expresiones utilizando la variable {{@}} combinada con una barra vertical y una funci\u00f3n JMESPath no v\u00e1lida (p. ej., {{@ | non_existent_function }}). Esto provoca la sustituci\u00f3n de un valor nulo en la estructura de la pol\u00edtica. El procesamiento posterior por funciones internas, en concreto getValueAsStringMap, que esperan valores de cadena, genera un p\u00e1nico debido a un error en la aserci\u00f3n de tipo (la interfaz {} es nula, no de cadena). Esto bloquea los subprocesos de trabajo de Kyverno en el controlador de admisi\u00f3n y provoca bloqueos continuos del pod del controlador de informes. Esto se ha corregido en la versi\u00f3n 1.14.2."
    }
  ],
  "id": "CVE-2025-47281",
  "lastModified": "2025-08-05T15:51:19.533",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-23T21:15:26.397",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kyverno/kyverno/commit/cbd7d4ca24de1c55396fc3295e9fc3215832be7c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Exploit",
        "Mitigation"
      ],
      "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Vendor Advisory",
        "Exploit",
        "Mitigation"
      ],
      "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r5p3-955p-5ggq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-248"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.