Kubewarden, Privilege Escalation via Deprecated APIs, CVE (Medium)

Listen to this Post

The vulnerability in Kubewarden allows attackers with privileged AdmissionPolicy create permissions to exploit three deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, and kubernetes/services. By crafting a malicious policy that exercises these APIs, the attacker gains unauthorized read access to Ingresses, Namespaces, and Services resources across the Kubernetes cluster. This includes reading namespace names and labels, service ClusterIPs and ports, and ingress hostnames and routing rules. The attack is read-only and does not provide write access or access to Secrets or ConfigMaps. These deprecated APIs were not properly gated, leading to privilege escalation. Kubewarden had already deprecated these APIs in favor of more secure alternatives like kubewarden/kubernetes/list_resources, which are fine-grained and context-aware. The vulnerability is mitigated by updating the policy-server image to v1.33.0, which removes the deprecated APIs entirely. Alternatively, reducing user permissions temporarily prevents exploitation. This issue underscores the need for deprecating unsafe APIs and enforcing robust permission controls.
Platform: Kubewarden
Version: before v1.33.0
Vulnerability: deprecated API read
Severity: Medium
date: N/A

Prediction: Already patched v1.33.0

What Undercode Say:

Check current policy-server image version
kubectl get deployment policy-server -n kubewarden -o jsonpath="{.spec.template.spec.containers[bash].image}"
Update policy-server to patched version v1.33.0
kubectl set image deployment/policy-server policy-server=ghcr.io/kubewarden/policy-server:v1.33.0 -n kubewarden
List all AdmissionPolicies across namespaces
kubectl get admissionpolicies -A
Describe a specific AdmissionPolicy for details
kubectl describe admissionpolicy <policy-name> -n <namespace>
Example of a malicious policy using deprecated APIs (conceptual, as APIs are removed)
cat <<EOF | kubectl apply -f -
apiVersion: policies.kubewarden.io/v1
kind: AdmissionPolicy
metadata:
name: malicious-read
namespace: attacker-ns
spec:
module: registry://... Policy that calls deprecated kubernetes/ingresses
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
EOF

Exploit:

An attacker with privileged AdmissionPolicy create permissions crafts a policy that invokes deprecated host-callback APIs (kubernetes/ingresses, kubernetes/namespaces, kubernetes/services). This policy, when deployed, uses the APIs to read Ingresses, Namespaces, and Services across all namespaces, revealing cluster topology without authorization. The exploit requires existing permissions and leverages unpatched Kubewarden versions before v1.33.0.

Protection from this CVE:

  • Immediately update the policy-server image to v1.33.0 or later using the command provided above.
  • Temporarily revoke AdmissionPolicy create permissions from users until patched.
  • Use context-aware permissions with secure APIs like kubewarden/kubernetes/list_resources.
  • Monitor for suspicious policy deployments with kubewarden audit capabilities.

Impact:

Unauthorized read access to Ingresses, Namespaces, and Services across the Kubernetes cluster, potentially exposing internal network topology, service endpoints, and routing rules. This aids further reconnaissance but does not allow data modification or access to secrets. The attack vector is limited to users with specific privileged permissions and is read-only.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top