Primary

Context

Kyverno Namespace Selector Bypass Vulnerability in Admission Review Processing

Vulnerability

Patched

A vulnerability exists in Kyverno versions prior to 1.13.5 and 1.14.0, where policy rules utilizing namespace selectors in their match statements may not be applied during admission review. This issue arises from a lack of proper error handling in the function 'GetNamespaceSelectorsFromNamespaceLister' within 'pkg/utils/engine/labels.go'. As a result, security-critical mutations and validations can be bypassed, potentially allowing attackers with Kubernetes API access to execute malicious actions.

Impact

This vulnerability can lead to a bypass of Kyverno policies, allowing unauthorized actions on resources that should be governed by those policies. This is particularly concerning for security-critical policies that manage mutations and validations during the Kubernetes admission process.

Remediation

Users can upgrade to Kyverno versions 1.13.5 or 1.14.0, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kyverno Namespace Selector Bypass Vulnerability in Admission Review Processing

Vulnerability

Impact

Remediation

Affected Products

Kyverno

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating