GHSA-FC89-JGHX-8PVG

Vulnerability from github – Published: 2025-01-30 17:52 – Updated: 2025-02-05 16:23
VLAI?
Summary
KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources
Details

Impact

By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.

Patches

Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. The new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.

Workarounds

On clusters running Kubewarden < 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: "deny-interaction-with-policyreport"
spec:
  module: registry://ghcr.io/kubewarden/policies/cel-policy:latest
  settings:
    variables:
      - name: hasWildcardInsideOfApiGroup
        expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == '*'))"
      - name: hasWildcardInsideOfResources
        expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == '*' || ag == '*/*' || ag == 'policyreports/*'))"
      - name: dealsWithPolicyReportApiGroup
        expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == 'wgpolicyk8s.io'))"
      - name: dealsWithPolicyReportResource
        expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == 'policyreports' || ag == 'policyreports/'))"
      - name: isPendingDeletion
        expression: "has(object.metadata.deletionTimestamp)"
    validations:
      - expression: |
          !( variables.hasWildcardInsideOfApiGroup ||
             variables.hasWildcardInsideOfResources ||
             variables.dealsWithPolicyReportResource ||
             variables.dealsWithPolicyReportApiGroup
          ) || variables.isPendingDeletion
        message: "cannot target PolicyReport resources or use wildcards in apiGroups or resources"
  rules:
    - apiGroups: ["policies.kubewarden.io"]
      apiVersions: ["v1"]
      operations: ["CREATE", "UPDATE"]
      resources: ["admissionpolicies", "admissionpolicygroups"]
  mutating: false
  backgroundAudit: true

For more information

If you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the “security disclosure“ guidelines of the Kubewarden project.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubewarden/kubewarden-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-30T17:52:37Z",
    "nvd_published_at": "2025-01-30T16:15:31Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nBy design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy.\nThere might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature.\nFor example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See [this section](https://docs.kubewarden.io/explanations/audit-scanner/policy-reports) of Kubewarden\u2019s documentation for more details about PolicyReport resources.\nAn attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources.\nMoreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.\n\n### Patches\n\nStarting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources.\nThe new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.\n\n### Workarounds\n\nOn clusters running Kubewarden \u003c 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:\n\n```yaml\napiVersion: policies.kubewarden.io/v1\nkind: ClusterAdmissionPolicy\nmetadata:\n  name: \"deny-interaction-with-policyreport\"\nspec:\n  module: registry://ghcr.io/kubewarden/policies/cel-policy:latest\n  settings:\n    variables:\n      - name: hasWildcardInsideOfApiGroup\n        expression: \"object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == \u0027*\u0027))\"\n      - name: hasWildcardInsideOfResources\n        expression: \"object.spec.rules.exists(r, r.resources.exists(ag, ag == \u0027*\u0027 || ag == \u0027*/*\u0027 || ag == \u0027policyreports/*\u0027))\"\n      - name: dealsWithPolicyReportApiGroup\n        expression: \"object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == \u0027wgpolicyk8s.io\u0027))\"\n      - name: dealsWithPolicyReportResource\n        expression: \"object.spec.rules.exists(r, r.resources.exists(ag, ag == \u0027policyreports\u0027 || ag == \u0027policyreports/\u0027))\"\n      - name: isPendingDeletion\n        expression: \"has(object.metadata.deletionTimestamp)\"\n    validations:\n      - expression: |\n          !( variables.hasWildcardInsideOfApiGroup ||\n             variables.hasWildcardInsideOfResources ||\n             variables.dealsWithPolicyReportResource ||\n             variables.dealsWithPolicyReportApiGroup\n          ) || variables.isPendingDeletion\n        message: \"cannot target PolicyReport resources or use wildcards in apiGroups or resources\"\n  rules:\n    - apiGroups: [\"policies.kubewarden.io\"]\n      apiVersions: [\"v1\"]\n      operations: [\"CREATE\", \"UPDATE\"]\n      resources: [\"admissionpolicies\", \"admissionpolicygroups\"]\n  mutating: false\n  backgroundAudit: true\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the \u201c[security disclosure](https://docs.kubewarden.io/disclosure)\u201c guidelines of the Kubewarden project.",
  "id": "GHSA-fc89-jghx-8pvg",
  "modified": "2025-02-05T16:23:59Z",
  "published": "2025-01-30T17:52:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-fc89-jghx-8pvg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubewarden/kubewarden-controller/commit/8124039b5f0c955d0ee8c8ca12d4415282f02d2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubewarden/kubewarden-controller"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3434"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "KubeWarden\u0027s AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.