github.com/crossplane/crossplane-runtime is vulnerable to Denial Of Service (DoS). The vulnerability exists due to the Pave
and setValue
functions in paved.go
because it does not enforce the max index size of a field path, allowing an attacker to use excessive memory and cause an application crash.
github.com/crossplane/crossplane-runtime/commit/12c1e9f8ecd731afc4e092967508fa226b80a461
github.com/crossplane/crossplane-runtime/commit/53508a9f4374604db140dd8ab2fa52276441e738
github.com/crossplane/crossplane-runtime/commit/7b5d269f55ddaf28dcdf995df929e289ca9d104a
github.com/crossplane/crossplane-runtime/commit/d4fccb39a42a963c67632d4120c11ff24d2eb38a
github.com/crossplane/crossplane-runtime/pull/390
github.com/crossplane/crossplane-runtime/pull/391
github.com/crossplane/crossplane-runtime/pull/393
github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532