CVE-2023-38495

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*
cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:13

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 8.3
References () https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory () https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory
References () https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory () https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory

03 Aug 2023, 13:39

Type Values Removed Values Added
References (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory
References (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*
First Time Cncf crossplane
Cncf

27 Jul 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-27 19:15

Updated : 2024-11-21 08:13


NVD link : CVE-2023-38495

Mitre link : CVE-2023-38495

CVE.ORG link : CVE-2023-38495


JSON object : View

Products Affected

cncf

  • crossplane
CWE
CWE-20

Improper Input Validation