Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

INFO

Published Date :

2025-03-24T16:38:08.104Z

Last Modified :

2025-03-24T17:55:28.379Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-29778 vulnerability.

Vendors Products
Kyverno
  • Kyverno
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-29778.

URL Resource
https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537 cve-icon cve-icon
https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60 cve-icon cve-icon
https://github.com/kyverno/kyverno/pull/12237 cve-icon cve-icon
https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94 cve-icon cve-icon
https://github.com/kyverno/policies/issues/1246 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact