CVE-2023-38495

Published: Jul 27, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Affected (2)

Products: Cncf: Crossplane

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cncf Crossplane	Before 1.11.5
Cncf Crossplane	From 1.12.0 to 1.12.3

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf

Source: security-advisories@github.com

ExploitTechnical DescriptionVendor Advisory

https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m

Source: security-advisories@github.com

Vendor Advisory

https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionVendor Advisory

https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.