Detections
Analytics

SCA: security update for github.com/kubewarden/kubewarden-controller (GHSA-756x-m4mj-q96c)

medium Tenable Self-Hosted Container Security Plugin ID 420805

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden
 admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the
 AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to
 allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies
 can be allowed to query the Kubernetes API at evaluation time; these types of policies are called “context
 aware“. Context aware policies can perform list and get operations against a Kubernetes cluster. The
 queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means
 that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The
 AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to
 obtain information about resources that are out of their reach, by leveraging a higher access to the
 cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability
 depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and
 assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount
 least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster
 wide) only: Namespace, Pod, Deployment and Ingress. This vulnerability is fixed in 1.21.0.
 (CVE-2025-24784)

See Also

https://github.com/advisories/GHSA-756x-m4mj-q96c

Plugin Details

Severity: Medium

ID: 420805

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/30/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.4

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2025-24784

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/30/2025

Vulnerability Publication Date: 1/30/2025

Reference Information

CVE: CVE-2025-24784