Policy Bypass

2023-07-0609:42:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

imagepolicy

admission.go

malicious users

policy bypass

restricted images

kubernetes

imagepolicywebhook

admission plugin

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

38.7%

JSON

github.com/kubernetes/kubernetes is vulnerable to Policy Bypass. The vulnerability exists in imagepolicy/admission.go, when ephemeral containers are used, which allows malicious users to start containers using restricted images, impacting the cluster if the ImagePolicyWebhook admission plugin is utilized.

CPENameOperatorVersion
github.com/kubernetes/kuberneteslev1.25.10
github.com/kubernetes/kuberneteslev1.24.14
github.com/kubernetes/kuberneteslev1.26.5
github.com/kubernetes/kuberneteslev1.27.2
github.com/kubernetes/kuberneteslev1.25.10
github.com/kubernetes/kuberneteslev1.24.14
github.com/kubernetes/kuberneteslev1.26.5
github.com/kubernetes/kuberneteslev1.27.2

Name	Operator	Version
github.com/kubernetes/kubernetes	le	v1.25.10
github.com/kubernetes/kubernetes	le	v1.24.14
github.com/kubernetes/kubernetes	le	v1.26.5
github.com/kubernetes/kubernetes	le	v1.27.2
github.com/kubernetes/kubernetes	le	v1.25.10
github.com/kubernetes/kubernetes	le	v1.24.14
github.com/kubernetes/kubernetes	le	v1.26.5
github.com/kubernetes/kubernetes	le	v1.27.2