SCA: security update for github.com/kyverno/kyverno (GHSA-r5p3-955p-5ggq)

high Tenable Self-Hosted Container Security Plugin ID 428610

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and
below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable
substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using
the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ |
non_existent_function }}). This leads to a nil value being substituted into the policy structure.
Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values,
results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno
worker threads in the admission controller and causes continuous crashes of the reports controller pod.
This is fixed in version 1.14.2. (CVE-2025-47281)

See Also

https://github.com/advisories/GHSA-r5p3-955p-5ggq

Plugin Details

Severity: High

ID: 428610

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 7/22/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.16

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2025-47281

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/22/2025

Vulnerability Publication Date: 7/22/2025

Reference Information

CVE: CVE-2025-47281