What is CVE-2023-37900?

CVE-2023-37900 is a vulnerability in Crossplane, a framework for building cloud native control planes, that allows a high-privileged user to create a Package referencing an arbitrarily large image, potentially leading to resource exhaustion and the container being OOMKilled.

What is the impact of CVE-2023-37900?

The impact of CVE-2023-37900 is low, as it requires high privileges and can result in resource exhaustion and the container being OOMKilled.

What software is affected by CVE-2023-37900?

CVE-2023-37900 affects Crossplane versions up to 1.11.5 and versions between 1.12.0 and 1.12.3.

How can I fix CVE-2023-37900?

To fix CVE-2023-37900, upgrade to Crossplane version 1.12.3.

Where can I find more information about CVE-2023-37900?

You can find more information about CVE-2023-37900 in the following references: [link1], [link2], [link3].

Vulnerability/
CVE-2023-37900

low

3.4

CWE

400 770

27/7/2023

28/7/2023

15/10/2024

CVE-2023-37900: Crossplane vulnerable to denial of service from large image

First published: Thu Jul 27 2023(Updated: )

### Impact An high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is low due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. ### Patches The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing. ### Workarounds Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices. ### References See `ADA-XP-23-16` in the Security Audit's [report](https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf). ### Credits This was reported as `ADA-XP-23-16` by @AdamKorcz and @DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Cncf Crossplane	<1.11.5
Cncf Crossplane	>=1.12.0<1.12.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-37900?
CVE-2023-37900 is a vulnerability in Crossplane, a framework for building cloud native control planes, that allows a high-privileged user to create a Package referencing an arbitrarily large image, potentially leading to resource exhaustion and the container being OOMKilled.
What is the impact of CVE-2023-37900?
The impact of CVE-2023-37900 is low, as it requires high privileges and can result in resource exhaustion and the container being OOMKilled.
What software is affected by CVE-2023-37900?
CVE-2023-37900 affects Crossplane versions up to 1.11.5 and versions between 1.12.0 and 1.12.3.
How can I fix CVE-2023-37900?
To fix CVE-2023-37900, upgrade to Crossplane version 1.12.3.
Where can I find more information about CVE-2023-37900?
You can find more information about CVE-2023-37900 in the following references: [link1], [link2], [link3].

collector/github-advisory
alias/GHSA-68p4-95xf-7gx8
alias/CVE-2023-37900
collector/github-advisory-latest
collector/nvd-index
collector/nvd-cve
agent/type
agent/softwarecombine
agent/weakness
agent/references
agent/severity
agent/author
agent/description
collector/nvd-latest
agent/software-canonical-lookup-request
collector/nvd-api
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/tags
agent/first-publish-date
agent/event
package-manager/go
vendor/cncf
canonical/cncf crossplane
version/cncf crossplane/1.12.0