CVE-2023-33191: 
NixOS vulnerability analysis and mitigation

Kyverno is a policy engine designed for Kubernetes. A vulnerability was discovered where the Seccomp control could be circumvented in versions 1.9.2 and 1.9.3 when using the podSecurity validate.podSecurity subrule. The issue specifically affects users who set the version value to 'latest' in the baseline level configuration. The vulnerability was discovered in May 2023 and was assigned CVE-2023-33191 (Kyverno Advisory).

The vulnerability affects the podSecurity subrule implementation in Kyverno's validation functionality. When users configure the validate.podSecurity subrule with a version value set to 'latest', the Seccomp control check at the baseline level fails to be properly evaluated. The issue does not manifest when specific version numbers are referenced instead of using 'latest'. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH by NIST NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to bypass Seccomp control checks when the podSecurity validation is configured with the 'latest' version setting. This could potentially lead to container escape vulnerabilities and compromise the security of the Kubernetes cluster (Kyverno Advisory).

The vulnerability has been patched in Kyverno version 1.9.4. For users unable to upgrade immediately, a workaround is available by installing individual policies for the respective Seccomp checks in baseline and restricted configurations. Users are strongly encouraged to upgrade to version 1.9.4 or later to resolve the vulnerability (Kyverno Release, Kyverno Advisory).