CVE-2023-33191
MEDIUM4.6EPSS 0.37%kyverno seccomp control can be circumvented
Description
### Impact Users of the podSecurity (`validate.podSecurity`) subrule in Kyverno versions v1.9.2 and v1.9.3 may be unable to enforce the check for the Seccomp control at the baseline level when using a `version` value of `latest`. There is no effect if a version number is referenced instead. See the [documentation](https://kyverno.io/docs/writing-policies/validate/#pod-security) for information on this subrule type. Users of Kyverno v1.9.2 and v1.9.3 are affected. ### Patches v1.9.4 v1.10.0 ### Workarounds To work around this issue without upgrading to v1.9.4, temporarily install individual policies for the respective Seccomp checks in baseline [here](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) and restricted [here](https://kyverno.io/policies/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict/). ### References * https://kyverno.io/docs/writing-policies/validate/#pod-security * https://github.com/kyverno/kyverno/pull/7263
Affected packages (2)
- Go/github.com/kyverno/kyverno>= 1.9.2, < 1.9.4
- Go/github.com/kyverno/kyverno>= 1.9.2, < 1.9.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L |