CVE-2023-38495
HIGHCrossplane <1.11.5, <1.12.3, <1.13.0 - Info Disclosure
Title source: llmDescription
Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/crossplane/crossplane/security/advisories/GHSA-pj4x-2xr5-w87m
Exploit, Technical Description, Vendor Advisory x_refsource_misc
https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf
Scores
CVSS v3
8.3
EPSS
0.0072
EPSS Percentile
49.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (2)
cncf/crossplane
< 1.11.5
crossplane/crossplane
0 - 1.11.5Go
Published
Jul 27, 2023
Tracked Since
Feb 18, 2026