Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
References
Link | Resource |
---|---|
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf | Exploit Technical Description Vendor Advisory |
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m | Vendor Advisory |
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf | Exploit Technical Description Vendor Advisory |
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:13
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.3 |
References | () https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory | |
References | () https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory |
03 Aug 2023, 13:39
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory | |
References | (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:* | |
First Time |
Cncf crossplane
Cncf |
27 Jul 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-27 19:15
Updated : 2024-11-21 08:13
NVD link : CVE-2023-38495
Mitre link : CVE-2023-38495
CVE.ORG link : CVE-2023-38495
JSON object : View
Products Affected
cncf
- crossplane
CWE
CWE-20
Improper Input Validation