x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-46mp-8w32-6g94

[GoVulnBot]

Advisory GHSA-46mp-8w32-6g94 references a vulnerability in the following Go modules:

Module
github.com/kyverno/kyverno

Description:

Summary

Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate.

Details

Kyverno checks only subject and issuer fields when verifying an artifact's signature: https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537. While there are subjectRegExp and issuerRegExp fields that can also be used for the defining expected subject and issue values. If the last ones are used then their ...

References:

• ADVISORY: GHSA-46mp-8w32-6g94
• ADVISORY: GHSA-46mp-8w32-6g94
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-29778
• FIX: kyverno/kyverno@8777672
• FIX: changes if condition to check for RegExp field kyverno/kyverno#12237
• REPORT: https://github.com/kyverno/policies/issues/1246
• WEB: https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537

Cross references:

• github.com/kyverno/kyverno appears in 10 other report(s):
  • data/reports/GO-2022-1180.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-m3cq-xcx9-3gvm #1180)
  • data/reports/GO-2023-1801.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-33191 #1801)
  • data/reports/GO-2023-1804.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-hgv6-w7r3-w4qw #1804)
  • data/reports/GO-2023-1819.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-34091 #1819)
  • data/reports/GO-2023-2335.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42813 #2335)
  • data/reports/GO-2023-2336.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42814 #2336)
  • data/reports/GO-2023-2337.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42815 #2337)
  • data/reports/GO-2023-2338.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-42816 #2338)
  • data/reports/GO-2023-2340.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: CVE-2023-47630 #2340)
  • data/reports/GO-2024-3230.yaml (x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-qjvc-p88j-j9rm #3230)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/kyverno/kyverno
      versions:
        - fixed: 1.14.0-alpha.1
      vulnerable_at: 1.13.4
summary: Kyverno ignores subjectRegExp and IssuerRegExp in github.com/kyverno/kyverno
cves:
    - CVE-2025-29778
ghsas:
    - GHSA-46mp-8w32-6g94
references:
    - advisory: https://github.com/advisories/GHSA-46mp-8w32-6g94
    - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-46mp-8w32-6g94
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-29778
    - fix: https://github.com/kyverno/kyverno/commit/8777672fb17bdf252bd2e7d8de3441e240404a60
    - fix: https://github.com/kyverno/kyverno/pull/12237
    - report: https://github.com/kyverno/policies/issues/1246
    - web: https://github.com/Mohdcode/kyverno/blob/373f942ea9fa8b63140d0eb0e101b9a5f71033f3/pkg/cosign/cosign.go#L537
source:
    id: GHSA-46mp-8w32-6g94
    created: 2025-03-24T20:01:22.749988496Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/660559 mentions this issue: data/reports: add 28 reports