{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T03:06:04.601","vulnerabilities":[{"cve":{"id":"CVE-2025-24784","sourceIdentifier":"security-advisories@github.com","published":"2025-01-30T16:15:31.780","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called “context aware“. Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to obtain information about resources that are out of their reach, by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster wide) only: Namespace, Pod, Deployment and Ingress. This vulnerability is fixed in 1.21.0."},{"lang":"es","value":"kubewarden-controller es un controlador de Kubernetes que le permite registrar dinámicamente las políticas de admisión de Kubewarden. La función de grupo de políticas, agregada por la versión 1.17.0. Al tener un espacio de nombres, AdmissionPolicyGroup tiene un impacto bien restringido en los recursos del clúster. Por lo tanto, se considera seguro permitir que los usuarios que no son administradores creen y administren estos recursos en los espacios de nombres que poseen. Se puede permitir que las políticas de Kubewarden consulten la API de Kubernetes en el momento de la evaluación; estos tipos de políticas se denominan \"conscientes del contexto\". Las políticas conscientes del contexto pueden realizar operaciones de lista y obtención en un clúster de Kubernetes. Las consultas se realizan utilizando la ServiceAccount de la instancia del servidor de políticas que aloja la política. Eso significa que el acceso al clúster está determinado por las reglas de RBAC que se aplican a esa ServiceAccount. El CRD de AdmissionPolicyGroup permitió la implementación de políticas conscientes del contexto. Esto podría permitir que un atacante obtenga información sobre recursos que están fuera de su alcance, aprovechando un mayor acceso al clúster otorgado al token ServiceAccount utilizado para ejecutar la política. El impacto de esta vulnerabilidad depende de los privilegios que se hayan otorgado al ServiceAccount utilizado para ejecutar Policy Server y supone que los usuarios están utilizando las mejores prácticas recomendadas para mantener el ServiceAccount del Policy Server con los privilegios mínimos. De forma predeterminada, el gráfico de Helm de Kubewarden otorga acceso únicamente a los siguientes recursos (en todo el clúster): espacio de nombres, pod, implementación e ingreso. Esta vulnerabilidad se corrigió en la versión 1.21.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/kubewarden/kubewarden-controller/commit/51a88dfbb4c090ce0f76a22d98106518e0824d0b","source":"security-advisories@github.com"},{"url":"https://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-756x-m4mj-q96c","source":"security-advisories@github.com"}]}}]}