Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38495

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 8.3, indicating it can be exploited remotely over the network but requires specific conditions to be met though user interaction is required and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 1 product from cncf organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2023, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2023-07-27T19:15:10.010

Last Modified

2024-11-21T08:13:41.513

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.3 (HIGH)

Weaknesses

Type: Secondary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cncf	crossplane	< 1.11.5	Yes
Application	cncf	crossplane	< 1.12.3	Yes

References

https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf Exploit, Technical Description, Vendor Advisory ([email protected])
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m Vendor Advisory ([email protected])
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf Exploit, Technical Description, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For cncf's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.