CVE-2023-37900

Name of the Vulnerable Software and Affected Versions Crossplane versions prior to 1.11.5 Crossplane versions prior to 1.12.3 Crossplane versions prior to 1.13.0

Description A high-privileged user could create a Package referencing an arbitrarily large image, which Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to create the Package and the eventually consistency nature of the controller.

Recommendations For versions prior to 1.11.5, update to version 1.11.5 or later. For versions prior to 1.12.3, update to version 1.12.3 or later. For versions prior to 1.13.0, update to version 1.13.0 or later. As a temporary workaround, consider using images from trusted sources and keeping Package editing/creating privileges to administrators only.