data/reports/GO-2022-1180.yaml - vulndb - Git at Google

 modules:
   - module: github.com/kyverno/kyverno
     versions:
       - introduced: 1.8.3
         fixed: 1.8.5
     vulnerable_at: 1.8.5-0.20221217180442-ef63302dc479
     packages:
       - package: github.com/kyverno/kyverno/pkg/engine
         symbols:
           - imageVerifier.verifyAttestation
           - imageVerifier.verifyAttestations
           - imageVerifier.verifyAttestors
           - imageVerifier.verifyAttestorSet
           - imageVerifier.verifyImage
         skip_fix: 'TODO: revisit this reason (undefined: gojmespath.NotFoundError)'
 description: |
     `verifyImages` rules can be bypassed by a malicious proxy/registry.
 cves:
   - CVE-2022-47633
 ghsas:
   - GHSA-m3cq-xcx9-3gvm
 credit: '@slashben'
 references:
   - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
   - fix: https://github.com/kyverno/kyverno/pull/5713
   - web: https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries
	modules:
	- module: github.com/kyverno/kyverno
	versions:
	- introduced: 1.8.3
	fixed: 1.8.5
	vulnerable_at: 1.8.5-0.20221217180442-ef63302dc479
	packages:
	- package: github.com/kyverno/kyverno/pkg/engine
	symbols:
	- imageVerifier.verifyAttestation
	- imageVerifier.verifyAttestations
	- imageVerifier.verifyAttestors
	- imageVerifier.verifyAttestorSet
	- imageVerifier.verifyImage
	skip_fix: 'TODO: revisit this reason (undefined: gojmespath.NotFoundError)'
	description: \|
	`verifyImages` rules can be bypassed by a malicious proxy/registry.
	cves:
	- CVE-2022-47633
	ghsas:
	- GHSA-m3cq-xcx9-3gvm
	credit: '@slashben'
	references:
	- advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-m3cq-xcx9-3gvm
	- fix: https://github.com/kyverno/kyverno/pull/5713
	- web: https://kyverno.io/policies/best-practices/restrict_image_registries/restrict_image_registries