CVE-2023-38495 - OpenCVE

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Cncf	Crossplane

Configuration 1 [-]

OR	cpe:2.3:a:cncf:crossplane::::::::
	cpe:2.3:a:cncf:crossplane::::::::

References

Link	Resource
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf	Exploit Technical Description Vendor Advisory
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-27T18:07:13.283Z

Updated: 2023-07-27T18:07:13.283Z

Reserved: 2023-07-18T16:28:12.076Z

Link: CVE-2023-38495

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-27T19:15:10.010

Modified: 2023-08-03T13:39:31.713

Link: CVE-2023-38495

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-38495", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.076Z", "datePublished": "2023-07-27T18:07:13.283Z", "dateUpdated": "2023-07-27T18:07:13.283Z"}, "containers": {"cna": {"title": "Crossplane vulnerable to possible image tampering from missing image validation for Packages", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m"}, {"name": "https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf", "tags": ["x_refsource_MISC"], "url": "https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf"}], "affected": [{"vendor": "crossplane", "product": "crossplane", "versions": [{"version": "< 1.11.5", "status": "affected"}, {"version": ">= 1.12.0, < 1.12.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-27T18:07:13.283Z"}, "descriptions": [{"lang": "en", "value": "Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only."}], "source": {"advisory": "GHSA-pj4x-2xr5-w87m", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B007480-33DA-4326-8E88-39738F8B235F", "versionEndExcluding": "1.11.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1BE3896-867C-491F-B2A2-7202EF97A35B", "versionEndExcluding": "1.12.3", "versionStartIncluding": "1.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only."}], "id": "CVE-2023-38495", "lastModified": "2023-08-03T13:39:31.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-07-27T19:15:10.010", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Technical Description", "Vendor Advisory"], "url": "https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}