cvedb.io
CVE-2023-27484
MEDIUM · CVSS 6.2
EPSS exploitation probability: 0%
Published 2023-03-09T21:15:11.813 · Last modified 2026-06-17T05:45:18.440

Summary

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's `ToFieldPath`, which could lead to excessive memory usage once such Composition is selected for a Composite resource. Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, Crossplane will grow that slice up to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The inde

Affected products

crossplane — crossplane

Does this affect you?

Add your gear to cvedb and we'll alert you only when crossplane ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.