CVE-2023-27484

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-27484

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-27484.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-27484

Aliases

GHSA-v829-x6hh-cqfq

Related

CGA-pgw2-jmgx-j6r6

Published

2023-03-09T20:22:48.602Z

Modified

2025-11-29T14:08:12.546599Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVSS Calculator

Summary

Unchecked fieldpath index in Composition's patches can lead to arbitrary memory allocation in crossplane

Details

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's ToFieldPath, which could lead to excessive memory usage once such Composition is selected for a Composite resource. Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, Crossplane will grow that slice up to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value. This issue has been addressed in versions 1.11.2, 1.10.3, and 1.9.2. Users are advised to upgrade. Users unable to upgrade can restrict write privileges on Compositions to only admin users as a workaround.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27484.json",
    "cwe_ids": [
        "CWE-20",
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/crossplane/crossplane

Affected ranges

Type

GIT

Repo

https://github.com/crossplane/crossplane

Events

Introduced

Fixed

a4c7a8428b03de0efa054db9c304f1fe47d32c4f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.9.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/crossplane/crossplane

Events

Introduced

55bb734f638cdd93ebfab7b261f53594a368c4eb

Fixed

4a187ecd8f8bd9d8ac1fe3d8c8264254f0f4462a

Database specific

{
    "versions": [
        {
            "introduced": "1.10.0"
        },
        {
            "fixed": "1.10.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/crossplane/crossplane

Events

Introduced

c333c6b896be165af1d27b5dddedabf46dcb8f6c

Fixed

d3b2b65922761bde67a5c820d4de74545347e451

Database specific

{
    "versions": [
        {
            "introduced": "1.11.0"
        },
        {
            "fixed": "1.11.2"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0-rc

v0.11.0-rc

v0.12.0-rc

v0.13.0-rc

v0.14.0-rc

v0.15.0-rc.0

v0.2.0

v0.3.0

v0.5.0-rc

v0.6.0-rc

v0.7.0-rc

v0.8.0-rc

v0.9.0-rc

v1.*

v1.0.0-rc.0

v1.1.0-rc

v1.1.0-rc.1

v1.10.0

v1.10.1

v1.10.2

v1.11.0

v1.11.1

v1.2.0-rc.0

v1.2.0-rc.1

v1.3.0-rc.0

v1.4.0

v1.4.0-rc.0

v1.5.0-rc.0

v1.6.0-rc.0

v1.7.0-rc.0

v1.8.0-rc.0

v1.9.0

v1.9.0-rc.0

v1.9.1