CVE-2023-34091

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.10.0

Description The issue allows resources with the deletionTimestamp field defined to bypass validate, generate, or mutate-existing policies, even when the validationFailureAction field is set to Enforce. This occurs because resources pending deletion were exempted by Kyverno to reduce processing load. A malicious user could leverage the Kubernetes finalizers feature by setting a finalizer, causing the Kubernetes API server to set the deletionTimestamp, and then not completing the delete operation to bypass a Kyverno policy. For example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This issue is not applicable to Kubernetes Pods.

Recommendations For Kyverno versions prior to 1.10.0, update to Kyverno 1.10.0 to resolve the issue. As a temporary workaround, consider restricting the use of the Kubernetes finalizers feature to minimize the risk of exploitation. Avoid using indefinite finalizers for resources, such as Kubernetes Service resources, until the issue is resolved. Note that there is no known workaround for this issue.