CVE-2024-48921

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.13.0

Description A kyverno ClusterPolicy can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace, which may allow users with privileges to non-kyverno namespaces to create exceptions. Administrators may not recognize this potential bypass.

Recommendations For versions prior to 1.13.0, update to version 1.13.0 to fix the vulnerability. As a temporary workaround, consider restricting the creation of PolicyException objects to authorized namespaces until the update is applied. Restrict access to the PolicyException object to minimize the risk of exploitation. Avoid using the PolicyException object in non-kyverno namespaces until the issue is resolved.

Exploit

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

BIT-KYVERNO-2024-48921

CLEANSTART-2026-UQ68343

CLEANSTART-2026-WI71304

CVE-2024-48921

ECHO-9C9E-8996-A967

GHSA-QJVC-P88J-J9RM

GO-2024-3230

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14447-1

OPENSUSE-SU-2024_3911-1

SUSE-SU-2024:3911-1

Affected Products

Kyverno

Suse

CVE-2024-48921

Weakness Enumeration

Related Identifiers

Affected Products

References · 116