/
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2022-35930

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2022-35930

CGA ID

CGA-5g6r-gqx2-76cw

Severity

8.8

High

CVSS V3

Description

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.

References

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation