CVE-2023-37900

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*
cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:12

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 2.7
v2 : unknown
v3 : 3.4
References () https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit () https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit
References () https://github.com/crossplane/crossplane/security/advisories/GHSA-68p4-95xf-7gx8 - Third Party Advisory () https://github.com/crossplane/crossplane/security/advisories/GHSA-68p4-95xf-7gx8 - Third Party Advisory

03 Aug 2023, 13:34

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 2.7
References (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-68p4-95xf-7gx8 - (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-68p4-95xf-7gx8 - Third Party Advisory
References (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit
First Time Cncf crossplane
Cncf
CPE cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*

27 Jul 2023, 16:52

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-27 16:15

Updated : 2024-11-21 08:12


NVD link : CVE-2023-37900

Mitre link : CVE-2023-37900

CVE.ORG link : CVE-2023-37900


JSON object : View

Products Affected

cncf

  • crossplane
CWE
CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling