CVE-2023-42813 MEDIUM

CVE-2023-42813: Denial of service from malicious manifest in kyverno

Vendor Kyverno

Product kyverno

Weakness CWE-400

Published November 13, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch attestations. With such a position, the attacker could return a malicious response to Kyverno, when Kyverno would send a request to the registry. The malicious response would cause denial of service of Kyverno, such that other users' admission requests would be blocked from being processed. This is a vulnerability in a new component released in v1.11.0. The only users affected by this are those that have been building Kyverno from source at the main branch which is not encouraged. Users consuming official Kyverno releases are not affected. There are no known cases of this vulnerability being exploited in the wild.

Key dates

02Disclosure timeline

November 13, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-42813 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

Identifiers

CVE CVE-2023-42813

CWE CWE-400

CVSS 6.1 / MEDIUM

Affected versions