Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38495

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Published

2023-07-27T19:15:10.010

Last Modified

2024-11-21T08:13:41.513

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.3 (HIGH)

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cncf	crossplane	< 1.11.5	Yes
Application	cncf	crossplane	< 1.12.3	Yes

References

https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf Exploit, Technical Description, Vendor Advisory ([email protected])
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m Vendor Advisory ([email protected])
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf Exploit, Technical Description, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)