Back to catalog

Fixable CVSS >= 6 and Privileged

No violationsstackroxhighdeploy

Alert on deployments running in privileged mode with fixable vulnerabilities with a CVSS of at least 6

Rationale
Known vulnerabilities make it easier for adversaries to exploit your application, and highly privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).
Remediation
Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.
CategoriesPrivilegesVulnerability Management
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.1
DORA EU 2022/2554
Art. 9.2Art. 9.4(c)
ISO/IEC 27001 2022
A.8.2A.8.8
NIST SP 800-53 rev. 5
AC-6RA-5SI-2
PCI DSS 4.0
2.2.66.3.16.3.37.2.1
SOC 2 2017 TSC
CC6.1CC7.1

Generated artifacts

0 of 5 targets supported
Not supported by kyverno

This policy references fields that kyverno cannot express in its rule language.

Missing capabilities
fixed-bycvss
IR (canonical)
{
  "id": "93f4b2dd-ef5a-419e-8371-38aed480fb36",
  "name": "Fixable CVSS >= 6 and Privileged",
  "description": "Alert on deployments running in privileged mode with fixable vulnerabilities with a CVSS of at least 6",
  "rationale": "Known vulnerabilities make it easier for adversaries to exploit your application, and highly privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
  "remediation": "Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.",
  "severity": "high",
  "categories": [
    "Privileges",
    "Vulnerability Management"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "privileged-container",
        "values": [
          "true"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "fixed-by",
        "values": [
          ".*"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "cvss",
        "values": [
          ">= 6.000000"
        ],
        "valuesOp": "or",
        "negate": false
      }
    ]
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "93f4b2dd-ef5a-419e-8371-38aed480fb36",
  "name": "Fixable CVSS >= 6 and Privileged",
  "description": "Alert on deployments running in privileged mode with fixable vulnerabilities with a CVSS of at least 6",
  "rationale": "Known vulnerabilities make it easier for adversaries to exploit your application, and highly privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
  "remediation": "Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.",
  "disabled": true,
  "categories": [
    "Privileges",
    "Vulnerability Management"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Privileged Container",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        },
        {
          "fieldName": "Fixed By",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ".*"
            }
          ]
        },
        {
          "fieldName": "CVSS",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ">= 6.000000"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}