BIT-kyverno-2025-46342

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/kyverno/BIT-kyverno-2025-46342.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-kyverno-2025-46342

Aliases

Published

2025-09-12T11:43:04.352Z

Modified

2025-09-15T07:42:01.991353Z

Summary

Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements

Details

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.

Database specific

{
    "cpes": [
        "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:go:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / kyverno

Package

Name: kyverno
Purl: pkg:bitnami/kyverno

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.5

Introduced

1.14.0-alpha.1

Fixed

1.14.0