SCA: security update for github.com/kyverno/kyverno (GHSA-hq4m-4948-64cc)

medium Tenable Cloud Security Plugin ID 415887

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources
which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing
policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation
occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce
processing load as policies are typically not applied to objects which are being deleted. However, this
could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by
setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not
completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not
applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using
an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known
workaround. (CVE-2023-34091)

See Also

https://github.com/advisories/GHSA-hq4m-4948-64cc

Plugin Details

Severity: Medium

ID: 415887

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2023-34091

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/5/2023

Vulnerability Publication Date: 6/1/2023

Reference Information

CVE: CVE-2023-34091

cwe: CWE-285