Policy-controller is vulnerable to supply chain attack. Due to a flaw in the function ValidatePolicyAttestationsForAuthority
, images will be reported as false positives resulting in admission in specific conditions. An attacker can use this vulnerability to run unsigned images.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/sigstore/policy-controller | le | v0.2.0 | |
github.com/sigstore/policy-controller | le | v0.2.0 |