CVE-2023-34091: 
NixOS vulnerability analysis and mitigation

Kyverno is a policy engine designed for Kubernetes. In versions prior to 1.10.0, a vulnerability was discovered where resources with the deletionTimestamp field defined could bypass validate, generate, or mutate-existing policies, even when the validationFailureAction field was set to Enforce. This vulnerability was disclosed on June 1, 2023 (GitHub Advisory).

The vulnerability occurs because Kyverno was intentionally exempting resources pending deletion to reduce processing load, as policies typically aren't applied to objects being deleted. However, this implementation could be exploited by malicious users leveraging the Kubernetes finalizers feature. An attacker could set a finalizer that causes the Kubernetes API server to set the deletionTimestamp and then not complete the delete operation, effectively bypassing Kyverno policies (GitHub Advisory). The vulnerability has been assigned a CVSS score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) (NVD).

While this vulnerability doesn't affect Kubernetes Pods, it can be exploited with other resources. For example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass security policies. This could potentially allow attackers to circumvent important security controls implemented through Kyverno policies (GitHub Advisory).

This vulnerability has been fixed in Kyverno version 1.10.0. There are no known workarounds for affected versions, and users are advised to upgrade to version 1.10.0 or later (GitHub Advisory, Kyverno Release).