CVE-2023-42815

Name of the Vulnerable Software and Affected Versions Kyverno version 1.11.0

Description A security issue was found in Kyverno, a policy engine for Kubernetes, where an attacker could cause denial of service. The issue is in Kyverno's Notary verifier. An attacker would need control over the registry from which Kyverno fetches signatures. With such control, the attacker could return a malicious response to Kyverno when it sends a request to the registry. This malicious response would cause denial of service, blocking other users' admission requests from being processed. The issue affects users who build Kyverno from source at the main branch, which is not the recommended practice. There are no known cases of this issue being exploited.

Recommendations For Kyverno version 1.11.0, as a temporary workaround, consider disabling the Notary verifier until a patch is available. Restrict access to the registry from which Kyverno fetches signatures to minimize the risk of exploitation. Avoid using the main branch for building Kyverno from source, as it is not encouraged. At the moment, there is no information about a newer version that contains a fix for this issue.