cvedb.io
CVE-2023-34091
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2023-06-01T17:15:10.873 · Last modified 2026-06-17T06:02:52.443

Summary

Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note

Affected products

nirmata — kyverno

Does this affect you?

Add your gear to cvedb and we'll alert you only when nirmata ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.