data/reports: add GO-2023-1623.yaml
Aliases: CVE-2023-27483
Fixes golang/vulndb#1623
Change-Id: I8cfabaceaea6b7580d97499ced99771da8bd1275
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/475917
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
diff --git a/data/osv/GO-2023-1623.json b/data/osv/GO-2023-1623.json
new file mode 100644
index 0000000..89daed1
--- /dev/null
+++ b/data/osv/GO-2023-1623.json
@@ -0,0 +1,69 @@
+{
+ "id": "GO-2023-1623",
+ "published": "0001-01-01T00:00:00Z",
+ "modified": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-27483"
+ ],
+ "details": "An out of memory panic vulnerability exists in the crossplane-runtime libraries.\n\nApplications that use the Paved type's SetValue method with user-provided input that is not properly validated might use excessive amounts of memory and cause an out of memory panic.\n\nIn the fieldpath package, the Paved.SetValue method sets a value on the Paved object according to the provided path, without any validation. This allows setting values in slices at any provided index, which grows the target array up to the requested index. The index is currently capped at max uint32 (4294967295), a large value. If callers do not validate paths' indexes on their own, this could allow users to consume arbitrary amounts of memory.\n\nApplications that do not use the Paved type's SetValue method are not affected.\n\nUsers unable to upgrade can work around this issue by parsing and validating the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/crossplane/crossplane-runtime",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.6.0"
+ },
+ {
+ "fixed": "0.16.1"
+ },
+ {
+ "introduced": "0.17.0"
+ },
+ {
+ "fixed": "0.19.2"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1623"
+ },
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/crossplane/crossplane-runtime/pkg/fieldpath",
+ "symbols": [
+ "Paved.MergeValue",
+ "Paved.SetBool",
+ "Paved.SetNumber",
+ "Paved.SetString",
+ "Paved.SetValue"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738"
+ }
+ ],
+ "credits": [
+ {
+ "name": "Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF."
+ }
+ ],
+ "schema_version": "1.3.1"
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-1623.yaml b/data/reports/GO-2023-1623.yaml
new file mode 100644
index 0000000..0debf85
--- /dev/null
+++ b/data/reports/GO-2023-1623.yaml
@@ -0,0 +1,45 @@
+modules:
+ - module: github.com/crossplane/crossplane-runtime
+ versions:
+ - introduced: 0.6.0
+ fixed: 0.16.1
+ - introduced: 0.17.0
+ fixed: 0.19.2
+ vulnerable_at: 0.19.1
+ packages:
+ - package: github.com/crossplane/crossplane-runtime/pkg/fieldpath
+ symbols:
+ - Paved.SetValue
+ derived_symbols:
+ - Paved.MergeValue
+ - Paved.SetBool
+ - Paved.SetNumber
+ - Paved.SetString
+summary: Out-of-memory panic in Paved.SetValue.
+description: |
+ An out of memory panic vulnerability exists in the crossplane-runtime
+ libraries.
+
+ Applications that use the Paved type's SetValue method with user-provided
+ input that is not properly validated might use excessive amounts of memory
+ and cause an out of memory panic.
+
+ In the fieldpath package, the Paved.SetValue method sets a value on the
+ Paved object according to the provided path, without any validation. This
+ allows setting values in slices at any provided index, which grows the
+ target array up to the requested index. The index is currently capped at max
+ uint32 (4294967295), a large value. If callers do not validate paths'
+ indexes on their own, this could allow users to consume arbitrary amounts of
+ memory.
+
+ Applications that do not use the Paved type's SetValue method are not affected.
+
+ Users unable to upgrade can work around this issue by parsing and validating
+ the path before passing it to the SetValue method of the Paved type,
+ constraining the index size as deemed appropriate.
+cves:
+ - CVE-2023-27483
+credit: Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
+references:
+ - advisory: https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532
+ - fix: https://github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738
