CVE-2023-38495 HIGH

CVE-2023-38495: Crossplane vulnerable to possible image tampering from missing image validation for Packages

Vendor Crossplane
Product crossplane
Weakness CWE-20 · Input validation
Published July 27, 2023
Last update October 10, 2024

CVSS base score

8.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.

Key dates

02Disclosure timeline

July 27, 2023 CVE published
October 10, 2024 Record updated