CVE-2022-35930

2022-08-0422:15:08

CWE-347

[email protected]

web.nvd.nist.gov

policycontroller

kubernetes

cve-2022-35930

supply chain policy

false positive

admission

attestation

signature

upgrade

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.9%

JSON

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (–type defaults to “custom”). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.

Affected configurations

Vulners

NVD

Node

sigstorepolicy_controllerRange<0.2.1

VendorProductVersionCPE
sigstorepolicy_controller*cpe:2.3:a:sigstore:policy_controller:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sigstore	policy_controller	*	cpe:2.3:a:sigstore:policy_controller::::::::

CNA Affected

[
  {
    "product": "policy-controller",
    "vendor": "sigstore",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.2.1"
      }
    ]
  }
]