CVE-2023-38495

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*
cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*

History

03 Aug 2023, 13:39

Type Values Removed Values Added
First Time Cncf crossplane
Cncf
CPE cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
References (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory
References (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory

27 Jul 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-27 19:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-38495

Mitre link : CVE-2023-38495

CVE.ORG link : CVE-2023-38495


JSON object : View

Products Affected

cncf

  • crossplane
CWE
CWE-20

Improper Input Validation