CVE-2023-38495

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf	Exploit Technical Description Vendor Advisory
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cncf:crossplane::::::::
	cpe:2.3:a:cncf:crossplane::::::::

History

03 Aug 2023, 13:39

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cncf:crossplane::::::::
First Time		Cncf Cncf crossplane
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~(MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m -~~	(MISC) https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m - Vendor Advisory
References	~~(MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf -~~	(MISC) https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf - Exploit, Technical Description, Vendor Advisory

27 Jul 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-27 19:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-38495

Mitre link : CVE-2023-38495

CVE.ORG link : CVE-2023-38495

JSON object : View

Products Affected

cncf

crossplane

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2023-38495", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.6}]}, "published": "2023-07-27T19:15:10.010", "references": [{"url": "https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf", "tags": ["Exploit", "Technical Description", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only."}], "lastModified": "2023-08-03T13:39:31.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B007480-33DA-4326-8E88-39738F8B235F", "versionEndExcluding": "1.11.5"}, {"criteria": "cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1BE3896-867C-491F-B2A2-7202EF97A35B", "versionEndExcluding": "1.12.3", "versionStartIncluding": "1.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}