Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-QJVC-P88J-J9RM
Vulnerability from github – Published: 2024-10-29 14:44 – Updated: 2024-11-07 19:23
VLAI
Summary
Kyverno's PolicyException objects can be created in any namespace by default
Details
Summary
A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace.
Details
By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions.
PoC
- Administrator creates "disallow-privileged-containers" ClusterPolicy that applies to resources in the namespace "ubuntu-restricted"
- Cluster user creates a PolicyException object for "disallow-privileged-containers" in namespace "ubuntu-restricted"
- Cluster user creates a pod with a privileged container in "ubuntu-restricted"
- Cluster user escalates to root on the node from the privileged container
Impact
Administrators attempting to enforce cluster security through kyverno policies, but that allow less privileged users to create resources
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kyverno/kyverno"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-48921"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-29T14:44:36Z",
"nvd_published_at": "2024-10-29T15:15:10Z",
"severity": "HIGH"
},
"details": "### Summary\nA kyverno ClusterPolicy, ie. \"disallow-privileged-containers,\" can be overridden by the creation of a PolicyException in a random namespace.\n\n### Details\nBy design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions.\n\n### PoC\n1. Administrator creates \"disallow-privileged-containers\" ClusterPolicy that applies to resources in the namespace \"ubuntu-restricted\"\n2. Cluster user creates a PolicyException object for \"disallow-privileged-containers\" in namespace \"ubuntu-restricted\"\n3. Cluster user creates a pod with a privileged container in \"ubuntu-restricted\" \n4. Cluster user escalates to root on the node from the privileged container\n\n### Impact\nAdministrators attempting to enforce cluster security through kyverno policies, but that allow less privileged users to create resources",
"id": "GHSA-qjvc-p88j-j9rm",
"modified": "2024-11-07T19:23:10Z",
"published": "2024-10-29T14:44:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48921"
},
{
"type": "PACKAGE",
"url": "https://github.com/kyverno/kyverno"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Kyverno\u0027s PolicyException objects can be created in any namespace by default"
}
cleanstart-2026-gk29346
Vulnerability from cleanstart
Published
2026-04-01 09:22
Modified
2026-03-25 11:02
Summary
Security fixes for CVE-2025-15558, CVE-2025-47907, CVE-2025-66564, CVE-2026-1229, CVE-2026-22039, CVE-2026-22703, CVE-2026-22772, CVE-2026-23831, CVE-2026-23881, CVE-2026-24051, CVE-2026-24117, CVE-2026-24137, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-2464-8j7c-4cjm, ghsa-29wx-vh33-7x7r, ghsa-2x5j-vhc8-9cwm, ghsa-459x-q9hg-4gpq, ghsa-4qg8-fj49-pxjh, ghsa-4vq8-7jfc-9cvp, ghsa-6m8w-jc87-6cr7, ghsa-88jx-383q-w4qc, ghsa-95pr-fxf5-86gv, ghsa-c5q2-7r4c-mv6g, ghsa-c6gw-w398-hv78, ghsa-c77r-fh37-x2px, ghsa-f83f-xpx7-ffpw, ghsa-fv92-fjc5-jj9h, ghsa-jrr2-x33p-6hvc, ghsa-mh63-6h87-95cp, ghsa-mqqf-5wvp-8fh8, ghsa-p77j-4mvh-x3m3, ghsa-qjvc-p88j-j9rm, ghsa-r5p3-955p-5ggq, ghsa-v23v-6jw2-98fq, ghsa-v6v8-xj6m-xwqh, ghsa-xw73-rw38-6vjc applied in versions: 1.4.2-r2, 1.4.2-r4, 1.4.2-r6, 1.4.2-r7
Details
Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "kyverno-policy-reporter-kyverno-plugin-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2-r7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GK29346",
"modified": "2026-03-25T11:02:44Z",
"published": "2026-04-01T09:22:17.389111Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GK29346.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-15558"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47907"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-66564"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22039"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22703"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22772"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23831"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24117"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24137"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2464-8j7c-4cjm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-29wx-vh33-7x7r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2x5j-vhc8-9cwm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-459x-q9hg-4gpq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4qg8-fj49-pxjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6m8w-jc87-6cr7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-88jx-383q-w4qc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-95pr-fxf5-86gv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c5q2-7r4c-mv6g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c6gw-w398-hv78"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c77r-fh37-x2px"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f83f-xpx7-ffpw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fv92-fjc5-jj9h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jrr2-x33p-6hvc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mh63-6h87-95cp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mqqf-5wvp-8fh8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qjvc-p88j-j9rm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5p3-955p-5ggq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v23v-6jw2-98fq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v6v8-xj6m-xwqh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xw73-rw38-6vjc"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15558"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66564"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22039"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22703"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22772"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23831"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24117"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24137"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-15558, CVE-2025-47907, CVE-2025-66564, CVE-2026-1229, CVE-2026-22039, CVE-2026-22703, CVE-2026-22772, CVE-2026-23831, CVE-2026-23881, CVE-2026-24051, CVE-2026-24117, CVE-2026-24137, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-2464-8j7c-4cjm, ghsa-29wx-vh33-7x7r, ghsa-2x5j-vhc8-9cwm, ghsa-459x-q9hg-4gpq, ghsa-4qg8-fj49-pxjh, ghsa-4vq8-7jfc-9cvp, ghsa-6m8w-jc87-6cr7, ghsa-88jx-383q-w4qc, ghsa-95pr-fxf5-86gv, ghsa-c5q2-7r4c-mv6g, ghsa-c6gw-w398-hv78, ghsa-c77r-fh37-x2px, ghsa-f83f-xpx7-ffpw, ghsa-fv92-fjc5-jj9h, ghsa-jrr2-x33p-6hvc, ghsa-mh63-6h87-95cp, ghsa-mqqf-5wvp-8fh8, ghsa-p77j-4mvh-x3m3, ghsa-qjvc-p88j-j9rm, ghsa-r5p3-955p-5ggq, ghsa-v23v-6jw2-98fq, ghsa-v6v8-xj6m-xwqh, ghsa-xw73-rw38-6vjc applied in versions: 1.4.2-r2, 1.4.2-r4, 1.4.2-r6, 1.4.2-r7",
"upstream": [
"CVE-2025-15558",
"CVE-2025-47907",
"CVE-2025-66564",
"CVE-2026-1229",
"CVE-2026-22039",
"CVE-2026-22703",
"CVE-2026-22772",
"CVE-2026-23831",
"CVE-2026-23881",
"CVE-2026-24051",
"CVE-2026-24117",
"CVE-2026-24137",
"CVE-2026-25679",
"CVE-2026-26958",
"CVE-2026-27139",
"CVE-2026-27142",
"CVE-2026-33186",
"ghsa-2464-8j7c-4cjm",
"ghsa-29wx-vh33-7x7r",
"ghsa-2x5j-vhc8-9cwm",
"ghsa-459x-q9hg-4gpq",
"ghsa-4qg8-fj49-pxjh",
"ghsa-4vq8-7jfc-9cvp",
"ghsa-6m8w-jc87-6cr7",
"ghsa-88jx-383q-w4qc",
"ghsa-95pr-fxf5-86gv",
"ghsa-c5q2-7r4c-mv6g",
"ghsa-c6gw-w398-hv78",
"ghsa-c77r-fh37-x2px",
"ghsa-f83f-xpx7-ffpw",
"ghsa-fv92-fjc5-jj9h",
"ghsa-jrr2-x33p-6hvc",
"ghsa-mh63-6h87-95cp",
"ghsa-mqqf-5wvp-8fh8",
"ghsa-p77j-4mvh-x3m3",
"ghsa-qjvc-p88j-j9rm",
"ghsa-r5p3-955p-5ggq",
"ghsa-v23v-6jw2-98fq",
"ghsa-v6v8-xj6m-xwqh",
"ghsa-xw73-rw38-6vjc"
]
}
cleanstart-2026-pd17156
Vulnerability from cleanstart
Published
2026-01-30 15:00
Modified
2026-01-29 18:58
Summary
Cancelling a query (e
Details
Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. Cancelling a query (e. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "kyverno-policy-reporter-kyverno-plugin-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2-r4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. Cancelling a query (e. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-PD17156",
"modified": "2026-01-29T18:58:54Z",
"published": "2026-01-30T15:00:22.872625Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-PD17156"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47907"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-2464-8J7C-4CJM"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-29WX-VH33-7X7R"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-2X5J-VHC8-9CWM"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-459X-Q9HG-4GPQ"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-4QG8-FJ49-PXJH"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-4VQ8-7JFC-9CVP"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-6M8W-JC87-6CR7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-88JX-383Q-W4QC"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-C5Q2-7R4C-MV6G"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-C6GW-W398-HV78"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-C77R-FH37-X2PX"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-F83F-XPX7-FFPW"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-FV92-FJC5-JJ9H"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-JRR2-X33P-6HVC"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-MH63-6H87-95CP"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-QJVC-P88J-J9RM"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/GHSA-R5P3-955P-5GGQ"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cancelling a query (e",
"upstream": [
"CVE-2025-47907",
"GHSA-2464-8J7C-4CJM",
"GHSA-29WX-VH33-7X7R",
"GHSA-2X5J-VHC8-9CWM",
"GHSA-459X-Q9HG-4GPQ",
"GHSA-4QG8-FJ49-PXJH",
"GHSA-4VQ8-7JFC-9CVP",
"GHSA-6M8W-JC87-6CR7",
"GHSA-88JX-383Q-W4QC",
"GHSA-C5Q2-7R4C-MV6G",
"GHSA-C6GW-W398-HV78",
"GHSA-C77R-FH37-X2PX",
"GHSA-F83F-XPX7-FFPW",
"GHSA-FV92-FJC5-JJ9H",
"GHSA-JRR2-X33P-6HVC",
"GHSA-MH63-6H87-95CP",
"GHSA-QJVC-P88J-J9RM",
"GHSA-R5P3-955P-5GGQ"
]
}
cleanstart-2026-wb12909
Vulnerability from cleanstart
Published
2026-04-16 01:02
Modified
2026-04-15 05:53
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "kyverno-policy-reporter-kyverno-plugin-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2-r8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-WB12909",
"modified": "2026-04-15T05:53:30Z",
"published": "2026-04-16T01:02:48.908159Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-WB12909.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-15558"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47907"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-66564"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22039"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22703"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22772"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23831"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24117"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24137"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2464-8j7c-4cjm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-29wx-vh33-7x7r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2x5j-vhc8-9cwm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-459x-q9hg-4gpq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4qg8-fj49-pxjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6m8w-jc87-6cr7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-88jx-383q-w4qc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-95pr-fxf5-86gv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c5q2-7r4c-mv6g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c6gw-w398-hv78"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c77r-fh37-x2px"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f83f-xpx7-ffpw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fv92-fjc5-jj9h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jrr2-x33p-6hvc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mh63-6h87-95cp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mqqf-5wvp-8fh8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qjvc-p88j-j9rm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5p3-955p-5ggq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v23v-6jw2-98fq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v6v8-xj6m-xwqh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xw73-rw38-6vjc"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15558"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66564"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22039"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22703"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22772"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23831"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24117"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24137"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-15558",
"CVE-2025-47907",
"CVE-2025-66564",
"CVE-2026-1229",
"CVE-2026-22039",
"CVE-2026-22703",
"CVE-2026-22772",
"CVE-2026-23831",
"CVE-2026-23881",
"CVE-2026-24051",
"CVE-2026-24117",
"CVE-2026-24137",
"CVE-2026-25679",
"CVE-2026-26958",
"CVE-2026-27139",
"CVE-2026-27142",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33810",
"ghsa-2464-8j7c-4cjm",
"ghsa-29wx-vh33-7x7r",
"ghsa-2x5j-vhc8-9cwm",
"ghsa-459x-q9hg-4gpq",
"ghsa-4qg8-fj49-pxjh",
"ghsa-4vq8-7jfc-9cvp",
"ghsa-6m8w-jc87-6cr7",
"ghsa-88jx-383q-w4qc",
"ghsa-95pr-fxf5-86gv",
"ghsa-c5q2-7r4c-mv6g",
"ghsa-c6gw-w398-hv78",
"ghsa-c77r-fh37-x2px",
"ghsa-f83f-xpx7-ffpw",
"ghsa-fv92-fjc5-jj9h",
"ghsa-jrr2-x33p-6hvc",
"ghsa-mh63-6h87-95cp",
"ghsa-mqqf-5wvp-8fh8",
"ghsa-p77j-4mvh-x3m3",
"ghsa-qjvc-p88j-j9rm",
"ghsa-r5p3-955p-5ggq",
"ghsa-v23v-6jw2-98fq",
"ghsa-v6v8-xj6m-xwqh",
"ghsa-xw73-rw38-6vjc"
]
}
CVE-2024-48921 (GCVE-0-2024-48921)
Vulnerability from cvelistv5 – Published: 2024-10-29 14:14 – Updated: 2024-10-29 14:58
VLAI
EPSS
Title
Kyverno's PolicyException objects can be created in any namespace by default
Summary
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. This vulnerability is fixed in 1.13.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/kyverno/kyverno/security/advis… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"lessThan": "1.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48921",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:57:32.532882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:58:36.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kyverno",
"vendor": "kyverno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. \"disallow-privileged-containers,\" can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:14:36.260Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm"
}
],
"source": {
"advisory": "GHSA-qjvc-p88j-j9rm",
"discovery": "UNKNOWN"
},
"title": "Kyverno\u0027s PolicyException objects can be created in any namespace by default"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-48921",
"datePublished": "2024-10-29T14:14:36.260Z",
"dateReserved": "2024-10-09T22:06:46.173Z",
"dateUpdated": "2024-10-29T14:58:36.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…