Kubernetes Policy Engine Configuration Bypass via Deprecated APIs

Summary

Kubewarden users with elevated permissions can exploit a vulnerability that allows them to read sensitive Kubernetes resources, such as Ingresses, Namespaces, and Services, without proper authorization. Cluster operators should review and limit user permissions to prevent this issue. Immediate action is not required, but it's essential to address this vulnerability to maintain cluster security.

What to do

Update github.com kubewarden to version 1.33.0.
Update kubewarden github.com/kubewarden/kubewarden-controller to version 1.33.0.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	kubewarden	<= 1.33.0	1.33.0
kubewarden	github.com/kubewarden/kubewarden-controller	<= 1.33.0	1.33.0

Original title

Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One o...

Original description

Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged "AdmissionPolicy" create permissions (which isn't the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively.
This attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three.

ghsa CVSS3.1 4.3

Vulnerability type

CWE-863 Incorrect Authorization