| id: GO-2023-1623 |
| modules: |
| - module: github.com/crossplane/crossplane-runtime |
| versions: |
| - introduced: 0.6.0 |
| fixed: 0.16.1 |
| - introduced: 0.17.0 |
| fixed: 0.19.2 |
| vulnerable_at: 0.19.1 |
| packages: |
| - package: github.com/crossplane/crossplane-runtime/pkg/fieldpath |
| symbols: |
| - Paved.SetValue |
| derived_symbols: |
| - Paved.MergeValue |
| - Paved.SetBool |
| - Paved.SetNumber |
| - Paved.SetString |
| summary: Out-of-memory panic in github.com/crossplane/crossplane-runtime |
| description: |- |
| An out of memory panic vulnerability exists in the crossplane-runtime libraries. |
| |
| Applications that use the Paved type's SetValue method with user-provided input |
| that is not properly validated might use excessive amounts of memory and cause |
| an out of memory panic. |
| |
| In the fieldpath package, the Paved.SetValue method sets a value on the Paved |
| object according to the provided path, without any validation. This allows |
| setting values in slices at any provided index, which grows the target array up |
| to the requested index. The index is currently capped at max uint32 |
| (4294967295), a large value. If callers do not validate paths' indexes on their |
| own, this could allow users to consume arbitrary amounts of memory. |
| |
| Applications that do not use the Paved type's SetValue method are not affected. |
| |
| Users unable to upgrade can work around this issue by parsing and validating the |
| path before passing it to the SetValue method of the Paved type, constraining |
| the index size as deemed appropriate. |
| cves: |
| - CVE-2023-27483 |
| ghsas: |
| - GHSA-vfvj-3m3g-m532 |
| credits: |
| - Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF. |
| references: |
| - advisory: https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532 |
| - fix: https://github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738 |
