Key Information Summary Vulnerability Overview CVE ID: CVE-2021-47581 Severity: 7.7/10 Affected Versions: <1.14.1 Fixed Version: 1.14.2 Vulnerability Description Kyverno contains a Denial of Service (DoS) vulnerability due to improper handling of JMESPath variable substitution. Attackers can exploit this vulnerability by updating Kyverno policies that use variables with and JMESPath functions (e.g., or ). This causes a value to be inserted into the policy structure. Subsequent internal function calls, particularly , which expects a string value, result in a panic when encountering a type assertion failure ( ). This creates an infinite loop, exhausting worker threads in the admission controller and ultimately rendering the entire admission controller unavailable, thereby blocking the creation of new resources. Impact Audit Mode: Individual worker threads enter an infinite loop and terminate, while the main process recovers by spawning new worker threads. However, sustained exploitation may exhaust worker threads. Enforce Mode: The entire controller hangs and crashes, requiring Kubernetes to restart it. This interrupts policy enforcement, container suspension, and report generation. Conditions Attackers must have permission to create or update Kyverno Policy or ClusterPolicy resources. This is typically a privileged operation, but may be delegated in some environments. Consequences Policy enforcement dependency, inability to create new resources, loss of policy report visibility. Mitigation Add robust handling for values in . Review handling of and to prevent erroneous evaluations (e.g., undefined functions) from parsing.