GHSA-VFVJ-3M3G-M532

Vulnerability from github – Published: 2023-03-13 20:53 – Updated: 2023-03-13 20:53
VLAI?
Summary
fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Details

Summary

Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic.

Details

In the fieldpath package, the SetValue method of the Paved type sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed, but that is still an unnecessarily large value.

Workaround

Users can parse and validate the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/crossplane/crossplane-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.17.0"
            },
            {
              "fixed": "0.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/crossplane/crossplane-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "0.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-13T20:53:50Z",
    "nvd_published_at": "2023-03-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nFuzz testing on `crossplane/crossplane`, by Ada Logics and sponsored by the CNCF, identified input to a function in the `fieldpath` package that can cause an out of memory panic. Applications that use the `Paved` type\u0027s `SetValue` method with user provided input without proper validation might use excessive amounts of memory and cause an out of memory panic.\n\n### Details\n\nIn the `fieldpath` package, the `SetValue` method of the `Paved` type sets a value on the inner object according to the provided path, without validating it first. This allows setting values in slices at any specific index and the code will grow the target array up to the required size. The index is currently capped at max uint32 (4294967295) given how indexes are parsed,  but that is still an unnecessarily large value.\n\n### Workaround\n\nUsers can parse and validate the path before passing it to the `SetValue` method of the `Paved` type, constraining the index size as deemed appropriate.\n\n### Credits\n\nDisclosed by Ada Logics in a fuzzing audit sponsored by CNCF.",
  "id": "GHSA-vfvj-3m3g-m532",
  "modified": "2023-03-13T20:53:50Z",
  "published": "2023-03-13T20:53:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/crossplane/crossplane-runtime/commit/f67177024d906aaf5e13ee7cd470b4e87a9fef40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/crossplane/crossplane-runtime"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2023-1623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fieldpath\u0027s Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.