PT-2023-26476 · Unknown · Crossplane
Adamkorcz
+1
·
Publicado
2023-07-27
·
Atualizado
2026-01-26
·
CVE-2023-38495
CVSS v3.1
8.3
Alta
| Vetor | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Crossplane versions prior to 1.11.5
Crossplane versions prior to 1.12.3
Crossplane versions prior to 1.13.0
Description
Crossplane's image backend does not validate the byte contents of Crossplane packages, allowing an attacker to tamper with a package without detection. The issue has been fixed in versions 1.11.5, 1.12.3, and 1.13.0. As a workaround, users should only use images from trusted sources and keep package editing/creating privileges restricted to administrators.
Recommendations
For versions prior to 1.11.5, update to version 1.11.5 or later.
For versions prior to 1.12.3, update to version 1.12.3 or later.
For versions prior to 1.13.0, update to version 1.13.0 or later.
As a temporary workaround, consider only using images from trusted sources and restricting package editing/creating privileges to administrators only.
Exploit
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Crossplane