Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37900: crossplane/security/ADA-security-audit-23.pdf at ac8b24fe739c5d942ea885157148497f196c3dd3 · crossplane/crossplane

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0.

CVE
Open in Source
#vulnerability#git#pdf

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Related news

GHSA-68p4-95xf-7gx8: Denial of service from large image

### Impact An high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is low due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. ### Patches The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing. ### Workarounds Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices. ### References See `ADA-XP-23-16` in the Security Audit's [report](https://github.com/crossplane/crossplane/blob/ac8b24fe739c5d942ea885157148497f196c3dd3/security/ADA-security-audit-23.pdf). ### Credits This was reported as `ADA-XP-23-16` by @AdamKorcz and @DavidKorczynski from Ada Lo...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE