PT-2023-26476 · Unknown · Crossplane
Adamkorcz
+1
·
Published
2023-07-27
·
Updated
2026-01-26
·
CVE-2023-38495
CVSS v3.1
8.3
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Crossplane versions prior to 1.11.5
Crossplane versions prior to 1.12.3
Crossplane versions prior to 1.13.0
Description
Crossplane's image backend does not validate the byte contents of Crossplane packages, allowing an attacker to tamper with a package without detection. The issue has been fixed in versions 1.11.5, 1.12.3, and 1.13.0. As a workaround, users should only use images from trusted sources and keep package editing/creating privileges restricted to administrators.
Recommendations
For versions prior to 1.11.5, update to version 1.11.5 or later.
For versions prior to 1.12.3, update to version 1.12.3 or later.
For versions prior to 1.13.0, update to version 1.13.0 or later.
As a temporary workaround, consider only using images from trusted sources and restricting package editing/creating privileges to administrators only.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crossplane