Lucene search

Veracode Vulnerability DatabaseVERACODE:41833

HistoryJul 28, 2023 - 11:17 p.m.

Missing Image Validation

2023-07-2823:17:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

crossplane

vulnerability

image validation

detection mechanism

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

57.4%

JSON

github.com/crossplane/crossplane is vulnerable to Missing Image Validation. The vulnerability exists in imageback.go due to a lack of image validation inside the packages, which allows an attacker bypass the detection mechanism for tampered packages.

References

github.com/advisories/GHSA-pj4x-2xr5-w87m

github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf

github.com/crossplane/crossplane/commit/2a6d31f410ee5026c795b20b5a4f9d581ebd1568

github.com/crossplane/crossplane/commit/a1293952f03d4b9012cf689b05bee35bb11b77d6

github.com/crossplane/crossplane/commit/d577b71940deb26e60d32ad03c0ba6339d3865e9

github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m

github.com/golang/vulndb/issues/1980

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

57.4%

JSON

Related for VERACODE:41833