VYPR
High severityNVD Advisory· Published Jul 27, 2023· Updated Oct 10, 2024

Crossplane vulnerable to possible image tampering from missing image validation for Packages

CVE-2023-38495

Description

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/crossplane/crossplaneGo
< 1.11.51.11.5
github.com/crossplane/crossplaneGo
>= 1.12.0, < 1.12.31.12.3

Affected products

9

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.