Vulnerability Description
Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cncf | Crossplane | < 1.11.5 |
Related Weaknesses (CWE)
References
- https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f19ExploitTechnical DescriptionVendor Advisory
- https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87mVendor Advisory
- https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f19ExploitTechnical DescriptionVendor Advisory
- https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87mVendor Advisory
FAQ
What is CVE-2023-38495?
CVE-2023-38495 is a vulnerability with a CVSS score of 8.3 (HIGH). Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte...
How severe is CVE-2023-38495?
CVE-2023-38495 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-38495?
Check the references section above for vendor advisories and patch information. Affected products include: Cncf Crossplane.