Bburky

**Name of the Vulnerable Software and Affected Versions** MinIO Operator versions prior to 7.1.0 **Description** The issue concerns the MinIO Operator STS, a native IAM Authentication for Kubernetes. Without proper scoping, authentication can be replayed to other internal systems that may unintentionally trust it. This occurs when no audiences are provided for the `spec.audiences` field, defaulting to the Kubernetes apiserver. **Recommendations** For versions prior to 7.1.0, update to version 7.1.0 to resolve the issue. As a temporary workaround, consider specifying audiences for the `spec.audiences` field to prevent defaulting to the Kubernetes apiserver.

**Name of the Vulnerable Software and Affected Versions** zot versions prior to 2.1.0 **Description** The cache driver `GetBlob()` in zot, an OCI image registry, allows read access to any blob without an access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled, an attacker who knows the name of an image and the digest of a blob may maliciously read it via a second repository they have read access to. This attack is possible because `ImageStore.CheckBlob()` calls `checkCacheBlob()` to find the blob in a global cache by searching for the digest. If found, it is copied to the user-requested repository with `copyBlob()`. The attack requires the attacker to know the name of a private image and its layer digests. **Recommendations** To resolve the issue, update to version 2.1.0 or later. As a temporary workaround, consider configuring "dedupe": false in the "storage" settings to disable Zot's cache drivers.

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 1.10.0 **Description** The issue allows resources with the `deletionTimestamp` field defined to bypass validate, generate, or mutate-existing policies, even when the `validationFailureAction` field is set to `Enforce`. This occurs because resources pending deletion were exempted by Kyverno to reduce processing load. A malicious user could leverage the Kubernetes finalizers feature by setting a finalizer, causing the Kubernetes API server to set the `deletionTimestamp`, and then not completing the delete operation to bypass a Kyverno policy. For example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This issue is not applicable to Kubernetes Pods. **Recommendations** For Kyverno versions prior to 1.10.0, update to Kyverno 1.10.0 to resolve the issue. As a temporary workaround, consider restricting the use of the Kubernetes finalizers feature to minimize the risk of exploitation. Avoid using indefinite finalizers for resources, such as Kubernetes Service resources, until the issue is resolved. Note that there is no known workaround for this issue.

**Name of the Vulnerable Software and Affected Versions** git-fastclone versions prior to 1.0.1 **Description** The issue allows for arbitrary shell command execution from .gitmodules. An attacker can exploit this by instructing a user to run a recursive clone from a controlled repository, or by performing a man-in-the-middle (MITM) attack on an unencrypted git clone. The `ext` command will be executed when the repository is recursively cloned or when submodules are updated. This attack is effective for both local and remote repository clones. **Recommendations** For git-fastclone versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround, consider avoiding recursive clones and submodule updates from untrusted repositories. Restrict access to the `ext` command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** git-fastclone versions prior to 1.0.5 **Description** The issue allows an attacker to execute malicious commands by modifying user modifiable strings that are passed as arguments to `cd` and `git clone` commands in the library. This is due to the library passing these strings directly to a shell command. **Recommendations** For git-fastclone versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of user modifiable strings in the `cd` and `git clone` commands to minimize the risk of exploitation.