3.4
CWE
400 770
Advisory Published
Advisory Published
Updated

CVE-2023-37900: Crossplane vulnerable to denial of service from large image

First published: Thu Jul 27 2023(Updated: )

### Impact An high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is low due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. ### Patches The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing. ### Workarounds Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices. ### References See `ADA-XP-23-16` in the Security Audit's [report](https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf). ### Credits This was reported as `ADA-XP-23-16` by @AdamKorcz and @DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Cncf Crossplane<1.11.5
Cncf Crossplane>=1.12.0<1.12.3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2023-37900?

    CVE-2023-37900 is a vulnerability in Crossplane, a framework for building cloud native control planes, that allows a high-privileged user to create a Package referencing an arbitrarily large image, potentially leading to resource exhaustion and the container being OOMKilled.

  • What is the impact of CVE-2023-37900?

    The impact of CVE-2023-37900 is low, as it requires high privileges and can result in resource exhaustion and the container being OOMKilled.

  • What software is affected by CVE-2023-37900?

    CVE-2023-37900 affects Crossplane versions up to 1.11.5 and versions between 1.12.0 and 1.12.3.

  • How can I fix CVE-2023-37900?

    To fix CVE-2023-37900, upgrade to Crossplane version 1.12.3.

  • Where can I find more information about CVE-2023-37900?

    You can find more information about CVE-2023-37900 in the following references: [link1], [link2], [link3].

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203