CVE-2025-29778

MEDIUM

Kyverno < 1.13.6 - Improper Authorization

Title source: rule

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.

References (5)

[Exploit, Vendor Advisory] https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94

[Exploit, Issue Tracking] https://github.com/kyverno/policies/issues/1246

[Issue Tracking] https://github.com/kyverno/kyverno/pull/12237

[Patch] https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60

View Patch ZIP pw:eip

[Product] https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537

View Writeup ZIP pw:eip

Scores

CVSS v3 5.8

EPSS 0.0011

EPSS Percentile 29.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (2)

kyverno/kyverno 1.13.0 - 1.13.6

kyverno/kyverno 1.13.0 - 1.14.0-alpha.1Go

Published Mar 24, 2025

Tracked Since Feb 18, 2026