CVE-2025-46342
April 30, 2025
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to a missing error propagation in function "GetNamespaceSelectorsFromNamespaceLister" in "pkg/utils/engine/labels.go". As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations. This issue has been patched in versions 1.13.5 and 1.14.0.
Affected Packages
https://github.com/kyverno/kyverno.git (GITHUB):
Affected version(s) >=v0.1.0 <v1.13.5Fix Suggestion:
Update to version v1.13.5https://github.com/kyverno/kyverno.git (GITHUB):
Affected version(s) =v1.14.0-alpha.1 <v1.14.0Fix Suggestion:
Update to version v1.14.0github.com/kyverno/kyverno (GO):
Affected version(s) >=v1.14.0-alpha.1 <v1.14.0Fix Suggestion:
Update to version v1.14.0Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
8.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Validation of Specified Type of Input
EPSS
Base Score:
0.13
