CVE-2023-47630: 
NixOS vulnerability analysis and mitigation

Kyverno, a policy engine designed for Kubernetes, was found to contain a vulnerability (CVE-2023-47630) that allowed attackers to control the digest of images used by Kyverno users. The vulnerability was discovered during a security audit conducted by Ada Logics, facilitated by OSTIF and funded by the CNCF. The issue affects versions prior to 1.10.5 and was disclosed on November 13, 2023 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. The issue stems from a weakness in image digest verification, classified under CWE-345 (Insufficient Verification of Data Authenticity). The vulnerability specifically affects the way Kyverno handles image digests, potentially allowing an attacker to manipulate which images are consumed by users (GitHub Advisory).

If exploited, an attacker who has compromised a registry could return a vulnerable image to the user and leverage that to further escalate their position. The attacker would need to either know which images the Kyverno user consumes and exploit known vulnerabilities in previous digests, or craft a malicious image with a different digest containing intentionally placed vulnerabilities (GitHub Advisory).

The vulnerability has been patched in Kyverno version 1.10.5. All users are advised to upgrade to this version or later. Users pulling their images by digests and from trusted registries are not impacted by this vulnerability (GitHub Advisory).

Members of the community have raised concerns over the similarity between this vulnerability and CVE-2023-46737. However, these are two different issues with different root causes and levels of impact. While CVE-2023-46737's root cause is in Cosign's codebase and results in a denial-of-service, CVE-2023-47630 originates in Kyverno and allows attackers to trick users into consuming different images than requested (GitHub Advisory).