CVE-2024-48921: 
Kyverno vulnerability analysis and mitigation

Kyverno, a policy engine designed for Kubernetes, was found to have a vulnerability (CVE-2024-48921) where ClusterPolicy could be overridden by creating a PolicyException in any namespace. The vulnerability affects versions prior to 1.13.0 and was discovered and disclosed in October 2024 (GitHub Advisory).

The vulnerability stems from a design issue where PolicyExceptions are consumed from any namespace by default. This means that a ClusterPolicy, such as 'disallow-privileged-containers,' can be circumvented by creating a PolicyException in a random namespace. The vulnerability has been assigned a CVSS v3.1 base score of 2.7 (LOW) with vector string AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, and a CVSS v4.0 score of 8.7 (HIGH) (NVD).

The vulnerability primarily affects administrators attempting to enforce cluster security through Kyverno policies while allowing less privileged users to create resources. This could lead to security policy bypasses and potential privilege escalation scenarios. In a proof-of-concept scenario, a cluster user could create a PolicyException object for 'disallow-privileged-containers' in a namespace and subsequently create a pod with a privileged container, potentially escalating to root on the node (GitHub Advisory).

The vulnerability has been fixed in Kyverno version 1.13.0. Users are recommended to upgrade to this version to address the security issue (GitHub Advisory).