Skip to content

x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-459x-q9hg-4gpq #3615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Apr 15, 2025 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/kyverno/kyverno: GHSA-459x-q9hg-4gpq #3615

GoVulnBot opened this issue Apr 15, 2025 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-459x-q9hg-4gpq references a vulnerability in the following Go modules:

Module
github.com/kyverno/kyverno

Description:

Summary

An attacker with the ability to create Kyverno policies in a Kubernetes cluster can use Service Call functionality to perform SSRF to a server under their control in order to exfiltrate data.

Details

According to the documentation, Service Call is intended to address services located inside the Kubernetes cluster, but this method can also resolve external addresses, which allows making requests outside the Kubernetes cluster.

https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-service-calls

PoC

Create a slightly modified Cluster Policy from the...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/kyverno/kyverno
      vulnerable_at: 1.13.4
summary: Kyverno vulnerable to SSRF via Service Calls in github.com/kyverno/kyverno
ghsas:
    - GHSA-459x-q9hg-4gpq
references:
    - advisory: https://github.com/advisories/GHSA-459x-q9hg-4gpq
    - advisory: https://github.com/kyverno/kyverno/security/advisories/GHSA-459x-q9hg-4gpq
source:
    id: GHSA-459x-q9hg-4gpq
    created: 2025-04-15T22:01:28.294696373Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/665975 mentions this issue: data/reports: add 12 reports

This was referenced Apr 29, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @thatnealpatel @GoVulnBot