Vulnerability Details CVE-2022-35930
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 47.3%
CVSS Severity
CVSS v3 Score 7.1
References
- https://github.com/sigstore/policy-controller/commit/e852af36fb7d42678b21d7e97503c25bd1fd05c8
- https://github.com/sigstore/policy-controller/releases/tag/v0.2.1
- https://github.com/sigstore/policy-controller/security/advisories/GHSA-739f-hw6h-7wq8
- https://github.com/sigstore/policy-controller/commit/e852af36fb7d42678b21d7e97503c25bd1fd05c8
- https://github.com/sigstore/policy-controller/releases/tag/v0.2.1
- https://github.com/sigstore/policy-controller/security/advisories/GHSA-739f-hw6h-7wq8
Products affected by CVE-2022-35930
-
cpe:2.3:a:sigstore:policy_controller:-
-
cpe:2.3:a:sigstore:policy_controller:0.1.0
-
cpe:2.3:a:sigstore:policy_controller:0.2.0