CVE-2023-47630 – This vulnerability in Kyverno allows attackers ... (How to Fix)

Q: What is the severity of CVE-2023-47630?

CVE-2023-47630 has a CVSS score of 7.1 (HIGH). This vulnerability in Kyverno allows attackers who compromise image registries to control which image diggets Kyverno users receive, potentially delivering vulnerable or malicious images. Only users pulling images from compromised registries are affected, while those using trusted registries and pulling by digest are safe.

📋 TL;DR

This vulnerability in Kyverno allows attackers who compromise image registries to control which image diggets Kyverno users receive, potentially delivering vulnerable or malicious images. Only users pulling images from compromised registries are affected, while those using trusted registries and pulling by digest are safe.

💻 Affected Systems

Products:

Kyverno

Versions: Versions before 1.10.5

Operating Systems: Any OS running Kubernetes with Kyverno

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users pulling images from registries by tag rather than digest.

📦 What is this software?

Kyverno by Kyverno

View all CVEs affecting Kyverno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker compromises registry, delivers malicious images with known vulnerabilities to Kyverno users, enabling further privilege escalation and potential cluster compromise.

🟠

Likely Case

Limited impact requiring registry compromise, knowledge of specific images used, and exploitable vulnerabilities in previous image versions.

🟢

If Mitigated

No impact when using trusted registries and pulling images by digest rather than tag.

🌐 Internet-Facing: MEDIUM - Requires registry compromise which could affect internet-facing registries.

🏢 Internal Only: LOW - Internal registries are less likely to be compromised unless specifically targeted.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires registry compromise, knowledge of specific images used, and exploitable vulnerabilities in those images.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.5

Vendor Advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w

Restart Required: Yes

Instructions:

1. Backup current Kyverno configuration. 2. Update Kyverno to version 1.10.5 or later using your preferred deployment method (helm, kubectl, etc.). 3. Verify the new version is running correctly.

🧯 If You Can't Patch

Use only trusted image registries with strong security controls
Configure Kyverno to pull images by digest rather than tag

🔍 How to Verify

Check if Vulnerable:

Check Kyverno version: kubectl get deployment kyverno -n kyverno -o jsonpath='{.spec.template.spec.containers[0].image}'

Check Version:

kubectl get deployment kyverno -n kyverno -o jsonpath='{.spec.template.spec.containers[0].image}'

Verify Fix Applied:

Verify version is 1.10.5 or later: kubectl get deployment kyverno -n kyverno -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -E '1\.10\.[5-9]|1\.1[1-9]'

📡 Detection & Monitoring

Log Indicators:

Unexpected image pull failures
Registry authentication errors
Image digest mismatches

Network Indicators:

Unusual traffic to/from image registries
Connections to untrusted registries

SIEM Query:

source="kyverno" AND ("image pull error" OR "digest mismatch" OR "registry auth")

📊 Metadata

CVE ID: CVE-2023-47630

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: November 14, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w Vendor Advisory
https://github.com/kyverno/kyverno/security/advisories/GHSA-3hfq-cx9j-923w Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47630, you might also want to check these: