Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ZnZqLTNtM2ctbTUzMs4AAyE3
fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Summary
Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic.
Details
In the fieldpath package, the SetValue method of the Paved type sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value.
Workaround
Users can parse and validate the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.
Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
Permalink: https://github.com/advisories/GHSA-vfvj-3m3g-m532JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ZnZqLTNtM2ctbTUzMs4AAyE3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00101
EPSS Percentile: 0.42383
Identifiers: GHSA-vfvj-3m3g-m532, CVE-2023-27483
References:
- https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532
- https://nvd.nist.gov/vuln/detail/CVE-2023-27483
- https://github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738
- https://pkg.go.dev/vuln/GO-2023-1623
- https://github.com/crossplane/crossplane-runtime/commit/f67177024d906aaf5e13ee7cd470b4e87a9fef40
- https://github.com/advisories/GHSA-vfvj-3m3g-m532
Blast Radius: 15.1
Affected Packages
go:github.com/crossplane/crossplane-runtime
Dependent packages: 563Dependent repositories: 369
Downloads:
Affected Version Ranges: >= 0.6.0, < 0.16.1, >= 0.17.0, < 0.19.2
Fixed in: 0.16.1, 0.19.2
All affected versions: 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.4.0, 0.5.0, 0.16.1, 0.19.2, 0.19.3, 0.20.0, 0.20.1, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.0, 1.15.1, 1.16.0, 1.17.0, 1.18.0