CVE-2025-46342 Information
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0 it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go. As a consequence security-critical mutations and validations are bypassed potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.
Reference
https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194 https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc
Share on: