vulndb/data/reports/GO-2023-1623.yaml

id: GO-2023-1623
modules:
  - module: github.com/crossplane/crossplane-runtime
    versions:
      - introduced: 0.6.0
        fixed: 0.16.1
      - introduced: 0.17.0
        fixed: 0.19.2
    vulnerable_at: 0.19.1
    packages:
      - package: github.com/crossplane/crossplane-runtime/pkg/fieldpath
        symbols:
          - Paved.SetValue
        derived_symbols:
          - Paved.MergeValue
          - Paved.SetBool
          - Paved.SetNumber
          - Paved.SetString
summary: Out-of-memory panic in Paved.SetValue.
description: |
    An out of memory panic vulnerability exists in the crossplane-runtime
    libraries.

    Applications that use the Paved type's SetValue method with user-provided
    input that is not properly validated might use excessive amounts of memory
    and cause an out of memory panic.

    In the fieldpath package, the Paved.SetValue method sets a value on the
    Paved object according to the provided path, without any validation. This
    allows setting values in slices at any provided index, which grows the
    target array up to the requested index. The index is currently capped at max
    uint32 (4294967295), a large value. If callers do not validate paths'
    indexes on their own, this could allow users to consume arbitrary amounts of
    memory.

    Applications that do not use the Paved type's SetValue method are not affected.

    Users unable to upgrade can work around this issue by parsing and validating
    the path before passing it to the SetValue method of the Paved type,
    constraining the index size as deemed appropriate.    
cves:
  - CVE-2023-27483
ghsas:
  - GHSA-vfvj-3m3g-m532
credits:
  - Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
references:
  - advisory: https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532
  - fix: https://github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738