Skip to content

KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources

Moderate severity GitHub Reviewed Published Jan 30, 2025 in kubewarden/kubewarden-controller • Updated Jan 30, 2025

Package

gomod github.com/kubewarden/kubewarden-controller (Go)

Affected versions

>= 1.7.0, < 1.21.0

Patched versions

1.21.0

Description

Impact

By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy.
There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature.
For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources.
An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources.
Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.

Patches

Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources.
The new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.

Workarounds

On clusters running Kubewarden < 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: "deny-interaction-with-policyreport"
spec:
  module: registry://ghcr.io/kubewarden/policies/cel-policy:latest
  settings:
    variables:
      - name: hasWildcardInsideOfApiGroup
        expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == '*'))"
      - name: hasWildcardInsideOfResources
        expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == '*' || ag == '*/*' || ag == 'policyreports/*'))"
      - name: dealsWithPolicyReportApiGroup
        expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == 'wgpolicyk8s.io'))"
      - name: dealsWithPolicyReportResource
        expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == 'policyreports' || ag == 'policyreports/'))"
      - name: isPendingDeletion
        expression: "has(object.metadata.deletionTimestamp)"
    validations:
      - expression: |
          !( variables.hasWildcardInsideOfApiGroup ||
             variables.hasWildcardInsideOfResources ||
             variables.dealsWithPolicyReportResource ||
             variables.dealsWithPolicyReportApiGroup
          ) || variables.isPendingDeletion
        message: "cannot target PolicyReport resources or use wildcards in apiGroups or resources"
  rules:
    - apiGroups: ["policies.kubewarden.io"]
      apiVersions: ["v1"]
      operations: ["CREATE", "UPDATE"]
      resources: ["admissionpolicies", "admissionpolicygroups"]
  mutating: false
  backgroundAudit: true

For more information

If you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the “security disclosure“ guidelines of the Kubewarden project.

References

@flavio flavio published to kubewarden/kubewarden-controller Jan 30, 2025
Published by the National Vulnerability Database Jan 30, 2025
Published to the GitHub Advisory Database Jan 30, 2025
Reviewed Jan 30, 2025
Last updated Jan 30, 2025

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS score

Weaknesses

CVE ID

CVE-2025-24376

GHSA ID

GHSA-fc89-jghx-8pvg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.