CVE-2025-24784: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2025-24784 affects the kubewarden-controller, a Kubernetes controller that allows dynamic registration of Kubewarden admission policies. The vulnerability was discovered in version 1.17.0 and fixed in version 1.21.0. The issue involves the AdmissionPolicyGroup CRD (Custom Resource Definition) which allowed non-admin users to deploy context-aware policies that could query the Kubernetes API using the ServiceAccount of the Policy Server instance (GitHub Advisory).

The vulnerability stems from the AdmissionPolicyGroup CRD's ability to deploy context-aware policies that can perform list and get operations against a Kubernetes cluster. These operations are executed using the ServiceAccount of the Policy Server instance hosting the policy, meaning access to the cluster is determined by the RBAC rules applied to that ServiceAccount. By default, the Kubewarden helm chart grants cluster-wide access to Namespace, Pod, Deployment, and Ingress resources (GitHub Advisory).

An attacker with the ability to create AdmissionPolicyGroup resources could potentially obtain information about resources that are outside their intended scope by leveraging the elevated access granted to the ServiceAccount token used to run the policy. The severity of the impact depends on the privileges granted to the ServiceAccount used to run the Policy Server (GitHub Advisory).

The vulnerability is fixed in version 1.21.0, which removes the ability to define context-aware policies in AdmissionPolicyGroup CRD. For clusters running Kubewarden < 1.21.0, a workaround is available by applying a specific ClusterAdmissionPolicy that prevents the creation of AdmissionPolicyGroup resources with context-aware resources. The Kubewarden Audit Scanner can be used to identify existing non-compliant policies (GitHub Advisory).