Koreasecurity

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 1.18.0 Kyverno versions prior to 1.17.2 Kyverno versions prior to 1.16.4 **Description** The `apiCall` feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. Because the service URL lacks validation, it can be directed to attacker-controlled servers. Since the admission controller ServiceAccount possesses permissions to patch webhook configurations, the theft of this token can result in full cluster compromise. **Recommendations** Update to version 1.18.0 or newer. Update to version 1.17.2 or newer. Update to version 1.16.4 or newer. Rotate ServiceAccount tokens.

**Name of the Vulnerable Software and Affected Versions** Istio versions prior to 1.28.6 Istio versions prior to 1.29.2 **Description** When a RequestAuthentication resource is created with a `jwksUri` pointing to an internal service, istiod performs an unauthenticated HTTP GET request to that URL without filtering localhost or link-local IP addresses. This behavior can lead to the distribution of sensitive data to Envoy proxies through the xDS configuration. **Recommendations** Update to version 1.28.6. Update to version 1.29.2. Deploy a `ValidatingAdmissionPolicy` to prevent the creation of RequestAuthentication resources containing suspicious `jwksUri` field values, such as localhost, 127.0.0.0/8, 169.254.0.0/16, and their IPv6 equivalents.

**Name of the Vulnerable Software and Affected Versions** Podman versions 4.8.0 through 5.8.1 **Description** A command injection issue exists in the HyperV machine backend within the file `pkg/machine/hyperv/stubber.go`. The VM image path is inserted into a PowerShell double-quoted string without sanitization, which allows for `$()` subexpression injection. Since PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who controls the VM image path via a crafted machine name or image directory can execute arbitrary PowerShell commands. This occurs with the privileges of the Podman process, which on typical Windows installations results in SYSTEM-level code execution. This issue exclusively affects Windows. **Recommendations** Update to version 5.8.2.

**Name of the Vulnerable Software and Affected Versions** MinIO versions RELEASE.2022-11-08T05-27-07Z through RELEASE.2026-03-17T21-25-16Z **Description** MinIO has a JWT algorithm confusion issue in its OpenID Connect authentication. An attacker who knows the OIDC `ClientSecret` can forge identity tokens and obtain S3 credentials with any policy, including `consoleAdmin`. This allows an attacker to impersonate any user identity, access, modify, or delete data within the MinIO deployment. The attack is deterministic and has a 100% success rate. The attacker must have access to the OIDC `ClientSecret`, which may be found in environment variables, frontend OAuth configurations, mobile app bundles, CI/CD pipelines, or shared configuration files. **Recommendations** Upgrade to MinIO AIStor RELEASE.2026-03-17T21-25-16Z or later. As a workaround, ensure the OIDC `ClientSecret` is treated as a highly sensitive credential and is not exposed to untrusted parties.

**Name of the Vulnerable Software and Affected Versions** Tekton Pipelines versions 1.0.0 through 1.10.0