Frgt10Cs

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 1.14.0-alpha.1 **Description** Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores the `subjectRegExp` and `issuerRegExp` fields when verifying artifact signatures in keyless mode. This allows an attacker to deploy Kubernetes resources with artifacts signed by an unexpected certificate. Deploying these unauthorized Kubernetes resources can lead to a full compromise of the Kubernetes cluster. The vulnerability occurs because Kyverno only checks the subject and issuer fields when verifying signatures, while the `subjectRegExp` and `issuerRegExp` fields, intended for more flexible matching, are not considered. **Recommendations** Upgrade to Kyverno version 1.14.0-alpha.1 or later to resolve this issue.