CVE-2022-47633
HIGH8.1EPSS 0.18%kyverno verifyImages rule bypass possible with malicious proxy/registry
Published: 12/21/2022Modified: 3/13/2026
Description
### Impact Users of Kyverno on versions 1.8.3 or 1.8.4 who use `verifyImages` rules to verify container image signatures, and do not prevent use of unknown registries. ### Patches This issue has been fixed in version [1.8.5](https://github.com/kyverno/kyverno/releases/tag/v1.8.5) ### Workarounds Configure a Kyverno policy to restrict registries to a set of secure trusted image registries ([sample](https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries/)). ### References
Affected packages (3)
- Bitnami/kyverno>= 1.8.3, <= 1.8.3, >= 1.8.4, <= 1.8.4
- Go/github.com/kyverno/kyverno>= 1.8.3, < 1.8.5
- Go/github.com/kyverno/kyverno>= 1.8.3, < 1.8.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-47633
- PATCHhttps://github.com/kyverno/kyverno
- WEBhttps://github.com/kyverno/kyverno/compare/v1.8.4...v1.8.5
- WEBhttps://github.com/kyverno/kyverno/pull/5713
- WEBhttps://github.com/kyverno/kyverno/releases/tag/v1.8.5
- WEBhttps://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
- WEBhttps://kyverno.io/docs/writing-policies/verify-images
- WEBhttps://kyverno.io/docs/writing-policies/verify-images/
- WEBhttps://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
- WEBhttps://pkg.go.dev/vuln/GO-2022-1180
- WEBhttps://web.archive.org/web/20230426095744/https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries