Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
References
Link | Resource |
---|---|
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf | Exploit Technical Description Vendor Advisory |
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
03 Aug 2023, 13:39
Type | Values Removed | Values Added |
---|---|---|
First Time |
Cncf crossplane
Cncf |
|
CPE | cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory | |
References | (MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory |
27 Jul 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-27 19:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-38495
Mitre link : CVE-2023-38495
CVE.ORG link : CVE-2023-38495
JSON object : View
Products Affected
cncf
- crossplane
CWE
CWE-20
Improper Input Validation