CVE-2025-24376

Aliases:GHSA-fc89-jghx-8pvgGO-2025-3434

Advisory lineage Upstream: 0 Downstream: 2

Downstream

OPENSUSE-SU-2025:14732-1 SUSE-SU-2025:0429-1

Deferred

Published: 30 Jan 2025, 15:51

Last modified:12 Feb 2025, 19:51

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.07% LOW

0% probability -0.10%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

30 Jan 2025, 15:51

Published

Vulnerability first disclosed

12 Feb 2025, 19:51

Last Modified

Vulnerability information updated

Description

kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace. Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Trends

Current EPSS score: 0.07%• Percentile: 21%

Techniques & Countermeasures

CWE-155•Improper Neutralization of Wildcards or Matching Symbols
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.
CWE-285•Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

github.com/kubewarden•kubewarden-controller
≥ 1.7.0, < 1.21.0
kubewarden•kubewarden-controller
≥ 1.7.0, < 1.21.0