CVE-2023-42815: 
NixOS vulnerability analysis and mitigation

Kyverno, a policy engine designed for Kubernetes, was found to contain a security vulnerability (CVE-2023-42815) in its Notary verifier component. The vulnerability was discovered during a security audit conducted by Ada Logics, facilitated by OSTIF and funded by the CNCF. The issue affects a new component released in v1.11.0, specifically impacting users who built Kyverno from source at the main branch, while users consuming official Kyverno releases are not affected (GitHub Advisory).

The vulnerability exists in Kyverno's Notary verifier component where an attacker with control over the registry from which Kyverno fetches signatures could return a malicious response to Kyverno's requests. The issue has been assigned a CVSS v3.1 base score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L. The vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition) (NVD, GitHub Advisory).

If exploited, this vulnerability could cause a denial of service condition in Kyverno, resulting in blocked processing of other users' admission requests. The impact is limited to availability, with no effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in version 1.11.0. The fix includes implementing payload sizing and count limits for signatures and attestations from image registries. The solution specifically addresses the vulnerability by adding checks for maximum payload size and referrer count limits (Kyverno Patch).