CVE-2023-38495

Exploit

EPSS 0.24%
Published 27.07.2023 19:15:10
Last modified 21.11.2024 08:13:41
Source security-advisories@github.com
Teams watchlist Login
Open Login

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cncf ≫ Crossplane Version < 1.11.5

Cncf ≫ Crossplane Version >= 1.12.0 < 1.12.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.24%	0.475

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.3	1.6	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf

Vendor Advisory

Exploit

Technical Description

https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-38495

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-38495

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-38495

EUVD