PT-2023-26170 · Unknown · Crossplane
Adamkorcz
+1
·
Published
2023-07-27
·
Updated
2026-01-26
·
CVE-2023-37900
CVSS v3.1
3.4
Low
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Crossplane versions prior to 1.11.5
Crossplane versions prior to 1.12.3
Crossplane versions prior to 1.13.0
Description
A high-privileged user could create a Package referencing an arbitrarily large image, which Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to create the Package and the eventually consistency nature of the controller.
Recommendations
For versions prior to 1.11.5, update to version 1.11.5 or later.
For versions prior to 1.12.3, update to version 1.12.3 or later.
For versions prior to 1.13.0, update to version 1.13.0 or later.
As a temporary workaround, consider using images from trusted sources and keeping Package editing/creating privileges to administrators only.
Exploit
Fix
Allocation of Resources Without Limits
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Crossplane