CVE-2023-27483 – github.com/crossplane/crossplane-runtime

Package

Manager: go
Name: github.com/crossplane/crossplane-runtime
Vulnerable Version: >=0.17.0 <0.19.2 || >=0.6.0 <0.16.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0069 pctl0.70884

Details

fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime ### Summary Fuzz testing on `crossplane/crossplane`, by Ada Logics and sponsored by the CNCF, identified input to a function in the `fieldpath` package that can cause an out of memory panic. Applications that use the `Paved` type's `SetValue` method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic. ### Details In the `fieldpath` package, the `SetValue` method of the `Paved` type sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value. ### Workaround Users can parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate. ### Credits Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

Metadata

Created: 2023-03-13T20:53:50Z
Modified: 2023-03-13T20:53:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-vfvj-3m3g-m532/GHSA-vfvj-3m3g-m532.json
CWE IDs: ["CWE-20", "CWE-400"]
Alternative ID: GHSA-vfvj-3m3g-m532
Finding: F067
Auto approve: 1