9.8
CVE-2023-38495
- EPSS 0.3%
- Veröffentlicht 27.07.2023 19:15:10
- Zuletzt bearbeitet 21.11.2024 08:13:41
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCrossplane vulnerable to possible image tampering from missing image validation for Packages
Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cncf ≫ Crossplane Version < 1.11.5
Cncf ≫ Crossplane Version >= 1.12.0 < 1.12.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.536 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.3 | 1.6 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.