CVE-2022-47633: 
NixOS vulnerability analysis and mitigation

An image signature validation bypass vulnerability in Kyverno versions 1.8.3 and 1.8.4, tracked as CVE-2022-47633, allows a malicious image registry or a man-in-the-middle attacker to bypass signature verification mechanisms. The vulnerability was discovered in December 2022 and affects the Kyverno admission controller for container images, which is used to enforce policies for Kubernetes clusters (GitHub Advisory).

The vulnerability exists in Kyverno's verifyImages rules used for verification, which cannot prevent unknown registries. When the admission controller validates an image, it requests a signature from the container registry and the image manifest to get the image hash. However, a malicious registry can return a signature for a signed image but then provide a manifest for an unsigned, malicious image during the mutation phase (SOCRadar).

Successful exploitation of CVE-2022-47633 could allow attackers to hijack victim pods and utilize all their resources, including credentials and API tokens. This could ultimately lead to supply chain compromise by allowing unsigned malicious container images to be deployed in the cluster (SOCRadar).

The vulnerability was patched in Kyverno version 1.8.5, which ensures that the same image hash used to verify signatures is also used to modify the workload specification. As a workaround, users can configure a Kyverno policy to restrict registries to a set of secure trusted image registries. Users are advised to update to the latest version as soon as possible (GitHub Advisory).