SecuriTricks - CVE-2025-46342

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go`. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.

Product(s) Impacted

Vendor	Product	Versions
Kyverno	Kyverno	<1.13.5, <1.14.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1287

Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	kyverno	kyverno	<1.13.5	/	/	/	/	/	/	/
a	kyverno	kyverno	<1.14.0	/	/	/	/	/	/	/

References

https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194

https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc

CVSS Score

8.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

View Vector String

Timeline

Published: April 30, 2025, 3:16 p.m.
Last Modified: April 30, 2025, 3:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-46342