High severityNVD Advisory· Published Jul 27, 2023· Updated Oct 10, 2024
Crossplane vulnerable to possible image tampering from missing image validation for Packages
CVE-2023-38495
Description
Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/crossplane/crossplaneGo | < 1.11.5 | 1.11.5 |
github.com/crossplane/crossplaneGo | >= 1.12.0, < 1.12.3 | 1.12.3 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/crossplanepkg:apk/chainguard/crossplane-crankpkg:apk/chainguard/crossplane-xfnpkg:apk/wolfi/crossplanepkg:apk/wolfi/crossplane-crankpkg:apk/wolfi/crossplane-xfnpkg:bitnami/crossplanepkg:golang/github.com/crossplane/crossplane
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.11.5
- (no CPE)range: < 1.11.5
- Range: < 1.11.5
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-pj4x-2xr5-w87mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38495ghsaADVISORY
- github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdfghsax_refsource_MISCWEB
- github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.