CVE-2023-27483

Name of the Vulnerable Software and Affected Versions crossplane-runtime versions prior to 0.16.1 crossplane-runtime versions prior to 0.19.2

Description An out of memory panic issue has been discovered in crossplane-runtime, a set of Go libraries used to build Kubernetes controllers in Crossplane and its related stacks. This issue affects applications that use the Paved type's SetValue method with user-provided input without proper validation, allowing excessive memory consumption and potentially causing an out of memory panic. The Paved type's SetValue method sets a value on the Paved object according to the provided path without validation, enabling the setting of values in slices at any provided index and growing the target array up to the requested index. The index is capped at max uint32 (4294967295), but this is still an unnecessarily large value. Applications not using the Paved type's SetValue method are not affected.

Recommendations For versions prior to 0.16.1, upgrade to version 0.16.1 or later to resolve the issue. For versions prior to 0.19.2, upgrade to version 0.19.2 or later to resolve the issue. As a temporary workaround for users unable to upgrade, parse and validate the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.