Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Crossplane vulnerable to possible image tampering from missing image validation for Packages
Vulnerability Description
Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package. The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0. As a workaround, only use images from trusted sources and keep Package editing/creating privileges to administrators only.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
crossplane 输入验证错误漏洞
Vulnerability Description
crossplane是一个无需编写代码即可构建云原生控制平面的框架。 Crossplane 1.11.5、1.12.3 和 1.13.0 之前版本存在输入验证错误漏洞,该漏洞源于镜像后端不验证 Crossplane 包的字节内容,攻击者利用该漏洞可以篡改包。
CVSS Information
N/A
Vulnerability Type
N/A