// For flags

CVE-2022-35930

Ability to bypass attestation verification in sigstore PolicyController

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.

PolicyController es una utilidad usada para hacer cumplir la política de la cadena de suministro en los clústeres de Kubernetes. En versiones anteriores a 0.2.1 PolicyController informará de un falso positivo, resultando en una admisión cuando no debería ser admitida cuando se presenta al menos un atestado con una firma válida y NO se presentan atestados del tipo que está siendo verificado (--type por defecto es "custom"). Una imagen de ejemplo que puede usarse para probar esto es "ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2". Los usuarios deben actualizar a versión 0.2.1 para resolver este problema. No se presentan mitigaciones para usuarios que no puedan actualizar

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-08-04 CVE Published
  • 2024-03-25 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-347: Improper Verification of Cryptographic Signature
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sigstore
Search vendor "Sigstore"
Policy Controller
Search vendor "Sigstore" for product "Policy Controller"
< 0.2.1
Search vendor "Sigstore" for product "Policy Controller" and version " < 0.2.1"
-
Affected