CVE-2025-24376

Name of the Vulnerable Software and Affected Versions kubewarden-controller versions prior to 1.21.0

Description The issue concerns the validation of namespaced resources by AdmissionPolicy and AdmissionPolicyGroup policies in kubewarden-controller. An attacker can exploit this to prevent the creation and update of PolicyReport objects, which contain lists of non-compliant objects found inside a namespace, thereby hiding non-compliant resources. Additionally, a mutating AdmissionPolicy can alter the contents of PolicyReport resources. The validation rules have been tightened starting from version 1.21.0 to prevent the validation of sensitive types of namespaced resources.

Recommendations For versions prior to 1.21.0, apply the provided Kubewarden policy to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources. The policy, named "deny-interaction-with-policyreport", restricts the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects, and prevents these policies from targeting PolicyReport resources.

For versions prior to 1.21.0, consider updating to version 1.21.0 or later, where the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources.

As a temporary workaround, consider restricting access to the PolicyReport resources to minimize the risk of exploitation. Avoid using the admissionpolicies and admissionpolicygroups resources in the affected API endpoints until the issue is resolved.