Lucene search

[email protected]NVD:CVE-2023-38495

HistoryJul 27, 2023 - 7:15 p.m.

CVE-2023-38495

2023-07-2719:15:10

CWE-20

[email protected]

web.nvd.nist.gov

crossplane

cloud native

control planes

image backend

package validation

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

57.4%

JSON

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane’s image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Affected configurations

Nvd

Node

cncfcrossplaneRange<1.11.5

cncfcrossplaneRange1.12.0–1.12.3

VendorProductVersionCPE
cncfcrossplane*cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cncf	crossplane	*	cpe:2.3:a:cncf:crossplane::::::::

References

github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf

github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

57.4%

JSON

Related for NVD:CVE-2023-38495

github1 cve1 osv4 veracode1 cvelist1 prion1