CVE-2023-37900
low-risk
Published 2023-07-27
Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0.
Do I need to act?
-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.4/10
Low
NETWORK
/ LOW complexity
Affected Products (1)
Crossplane
Affected Vendors
References (4)
Third Party Advisory
https://github.com/crossplane/crossplane/security/advisories/GHSA-68p4-95xf-7gx8
Third Party Advisory
https://github.com/crossplane/crossplane/security/advisories/GHSA-68p4-95xf-7gx8
21
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal