BIT-crossplane-2023-37900

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/crossplane/BIT-crossplane-2023-37900.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-crossplane-2023-37900

Aliases

Published

2026-01-26T14:36:54.817Z

Modified

2026-01-26T17:41:12.858148Z

Summary

Crossplane vulnerable to denial of service from large image

Details

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0.

Database specific

{
    "cpes": [
        "cpe:2.3:a:cncf:crossplane:*:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}

References

Affected packages

Bitnami / crossplane

Package

Name: crossplane
Purl: pkg:bitnami/crossplane

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.5

Introduced

1.12.0

Fixed

1.12.3

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/crossplane/BIT-crossplane-2023-37900.json"