GHSA-v829-x6hh-cqfq · 深刻度: medium · エコシステム: go — Crossplane-runtime contains Improper Input Validation via Compositions
crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's `ToFieldPath`, which could lead to excessive memory usage once such Composition is selected for a Composite resource. Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, Crossplane will grow that slice up to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value. This issue has been addressed in versions 1.11.2, 1.10.3, and 1.9.2. Users are advised to upgrade. Users unable to upgrade can restrict write privileges on Compositions to only admin users as a workaround.
総合評価: CVE-2023-27484 は中リスク(41.7/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 0.68%、47 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.31% | 0.68% | +0.37% |
| 2 | 2026-03-25 | 0.41% | 0.31% | -0.10% |
| 3 | 2026-03-12 | — | 0.41% | — |
EPSS の全履歴 (全 11 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 6.2 | 3.1 | MEDIUM |
|
1.7 | 4.0 | [email protected] |
| 4.9 | 3.1 | MEDIUM |
|
1.2 | 3.6 | [email protected] |
GHSA-v829-x6hh-cqfq · 深刻度: medium · エコシステム: go — Crossplane-runtime contains Improper Input Validation via Compositions
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| crossplane | crossplane | >= 1.9.0, < 1.9.2 | cpe:2.3:a:crossplane:crossplane:*:*:*:*:*:*:*:* |
| crossplane | crossplane | >= 1.10.0, < 1.10.3 | cpe:2.3:a:crossplane:crossplane:*:*:*:*:*:*:*:* |
| crossplane | crossplane | >= 1.11.0, < 1.11.2 | cpe:2.3:a:crossplane:crossplane:*:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://github.com/crossplane/crossplane/security/advisories/GHSA-v829-x6hh-cqfq | Vendor Advisory |