All the vulnerabilites related to cilium - cilium
cve-2023-41333
Vulnerability from cvelistv5
Published
2023-09-26 20:19
Modified
2024-09-23 20:32
Severity ?
EPSS score ?
Summary
Bypass of namespace restrictions in CiliumNetworkPolicy
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-4xp2-w642-7mcx | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/28007 | x_refsource_MISC | |
| https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:34.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-4xp2-w642-7mcx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-4xp2-w642-7mcx"
},
{
"name": "https://github.com/cilium/cilium/pull/28007",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/pull/28007"
},
{
"name": "https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T20:31:48.503484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T20:32:01.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.2"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.7"
},
{
"status": "affected",
"version": "\u003c 1.12.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted `endpointSelector` that uses the `DoesNotExist` operator on the `reserved:init` label, the attacker can create policies that bypass namespace restrictions and affect the entire Cilium cluster. This includes potentially allowing or denying all traffic. This attack requires API server access, as described in the Kubernetes API Server Attacker section of the Cilium Threat Model. This issue has been resolved in Cilium versions 1.14.2, 1.13.7, and 1.12.14. As a workaround an admission webhook can be used to prevent the use of `endpointSelectors` that use the `DoesNotExist` operator on the `reserved:init` label in CiliumNetworkPolicies.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T20:19:34.512Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-4xp2-w642-7mcx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-4xp2-w642-7mcx"
},
{
"name": "https://github.com/cilium/cilium/pull/28007",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/28007"
},
{
"name": "https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker"
}
],
"source": {
"advisory": "GHSA-4xp2-w642-7mcx",
"discovery": "UNKNOWN"
},
"title": "Bypass of namespace restrictions in CiliumNetworkPolicy "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41333",
"datePublished": "2023-09-26T20:19:34.512Z",
"dateReserved": "2023-08-28T16:56:43.367Z",
"dateUpdated": "2024-09-23T20:32:01.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34242
Vulnerability from cvelistv5
Published
2023-06-15 19:07
Modified
2024-12-11 21:11
Severity ?
EPSS score ?
Summary
Cilium vulnerable to information leakage via incorrect ReferenceGrant handling
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/releases/tag/v1.13.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:54.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T21:11:20.726172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T21:11:29.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can leverage this issue to use cluster secrets that should not be visible to them, or communicate with services that they should not have access to. Gateway API functionality is disabled by default. This vulnerability is fixed in Cilium release 1.13.4. As a workaround, restrict the creation of `ReferenceGrant` resources to admin users by using Kubernetes RBAC."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T19:07:14.624Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-r7wr-4w5q-55m6"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.4"
}
],
"source": {
"advisory": "GHSA-r7wr-4w5q-55m6",
"discovery": "UNKNOWN"
},
"title": "Cilium vulnerable to information leakage via incorrect ReferenceGrant handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34242",
"datePublished": "2023-06-15T19:07:14.624Z",
"dateReserved": "2023-05-31T13:51:51.172Z",
"dateUpdated": "2024-12-11T21:11:29.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42488
Vulnerability from cvelistv5
Published
2024-08-15 20:36
Modified
2024-08-19 19:23
Severity ?
EPSS score ?
Summary
Cilium agent's race condition may lead to policy bypass for Host Firewall policy
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/33511 | x_refsource_MISC | |
| https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T19:18:35.109669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T19:23:37.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.14"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T20:36:29.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw"
},
{
"name": "https://github.com/cilium/cilium/pull/33511",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/33511"
},
{
"name": "https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8"
}
],
"source": {
"advisory": "GHSA-q7w8-72mr-vpgw",
"discovery": "UNKNOWN"
},
"title": "Cilium agent\u0027s race condition may lead to policy bypass for Host Firewall policy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42488",
"datePublished": "2024-08-15T20:36:29.463Z",
"dateReserved": "2024-08-02T14:13:04.618Z",
"dateUpdated": "2024-08-19T19:23:37.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25630
Vulnerability from cvelistv5
Published
2024-02-20 17:53
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Cilium has unencrypted ingress/health traffic when using Wireguard transparent encryption
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82 | x_refsource_CONFIRM | |
| https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.14.7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T19:25:14.648426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:48.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82"
},
{
"name": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311: Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:53:16.685Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82"
},
{
"name": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.7"
}
],
"source": {
"advisory": "GHSA-7496-fgv9-xw82",
"discovery": "UNKNOWN"
},
"title": "Cilium has unencrypted ingress/health traffic when using Wireguard transparent encryption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25630",
"datePublished": "2024-02-20T17:53:16.685Z",
"dateReserved": "2024-02-08T22:26:33.512Z",
"dateUpdated": "2024-08-01T23:44:09.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28250
Vulnerability from cvelistv5
Published
2024-03-18 21:42
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/releases/tag/v1.13.13 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.14.8 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.15.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T14:36:42.524251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:15.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.8"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node\u0027s Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node\u0027s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311: Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T21:42:21.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
}
],
"source": {
"advisory": "GHSA-v6q2-4qr3-5cw6",
"discovery": "UNKNOWN"
},
"title": "Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28250",
"datePublished": "2024-03-18T21:42:21.689Z",
"dateReserved": "2024-03-07T14:33:30.036Z",
"dateUpdated": "2024-08-02T00:48:49.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28860
Vulnerability from cvelistv5
Published
2024-03-27 18:34
Modified
2024-08-02 00:56
Severity ?
EPSS score ?
Summary
Insecure IPsec transport encryption in Cilium
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72 | x_refsource_MISC | |
| https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149 | x_refsource_MISC | |
| https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa | x_refsource_MISC | |
| https://docs.cilium.io/en/stable/security/network/encryption-ipsec | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.13.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.14.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.15.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:47:43.987847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T17:10:17.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586"
},
{
"name": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72"
},
{
"name": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149"
},
{
"name": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa"
},
{
"name": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c= 1.13.14"
},
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.9"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key recovery, replay attacks by a man-in-the-middle attacker. These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks. This vulnerability is fixed in 1.13.13, 1.14.9, and 1.15.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T18:34:23.105Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586"
},
{
"name": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/311fbce5280491cddceab178d83b06fa23688c72"
},
{
"name": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/a1742b478306fa256cd27df1039dfae0537b4149"
},
{
"name": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/a652c123331852cca90c74202f993d4170fd37fa"
},
{
"name": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/security/network/encryption-ipsec"
}
],
"source": {
"advisory": "GHSA-pwqm-x5x6-5586",
"discovery": "UNKNOWN"
},
"title": "Insecure IPsec transport encryption in Cilium"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28860",
"datePublished": "2024-03-27T18:34:23.105Z",
"dateReserved": "2024-03-11T22:45:07.686Z",
"dateUpdated": "2024-08-02T00:56:58.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-41332
Vulnerability from cvelistv5
Published
2023-09-26 20:27
Modified
2024-09-23 20:30
Severity ?
EPSS score ?
Summary
Denial of service via Kubernetes annotations in specific Cilium configurations
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/27597 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:34.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp"
},
{
"name": "https://github.com/cilium/cilium/pull/27597",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/pull/27597"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T20:30:32.107290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T20:30:43.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.2"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.7"
},
{
"status": "affected",
"version": "\u003c 1.12.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium\u0027s Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium \u003e= v1.13) or `io.cilium.proxy-visibility` annotations (in Cilium \u003c= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to process changes to workloads running on the node. This will also prevent workloads from being able to start on the affected node. The denial of service will be limited to the node on which the workload is scheduled, however an attacker may be able to schedule workloads on the node of their choosing, which could lead to targeted attacks. This issue has been resolved in Cilium versions 1.14.2, 1.13.7, and 1.12.14. Users unable to upgrade can avoid this denial of service attack by enabling the Layer 7 proxy.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T20:27:41.226Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp"
},
{
"name": "https://github.com/cilium/cilium/pull/27597",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/27597"
}
],
"source": {
"advisory": "GHSA-24m5-r6hv-ccgp",
"discovery": "UNKNOWN"
},
"title": "Denial of service via Kubernetes annotations in specific Cilium configurations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41332",
"datePublished": "2023-09-26T20:27:41.226Z",
"dateReserved": "2023-08-28T16:56:43.367Z",
"dateUpdated": "2024-09-23T20:30:43.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29178
Vulnerability from cvelistv5
Published
2022-05-20 18:15
Modified
2024-08-03 06:17
Severity ?
EPSS score ?
Summary
Incorrect Default Permissions in Cilium
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/releases/tag/v1.10.11 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.11.5 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.9.16 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.9.16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.16"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium\u0027s DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T18:15:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.9.16"
}
],
"source": {
"advisory": "GHSA-6p8v-8cq8-v2r3",
"discovery": "UNKNOWN"
},
"title": "Incorrect Default Permissions in Cilium",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29178",
"STATE": "PUBLIC",
"TITLE": "Incorrect Default Permissions in Cilium"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cilium",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.16"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.5"
}
]
}
}
]
},
"vendor_name": "cilium"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium\u0027s DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276: Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3",
"refsource": "CONFIRM",
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/cilium/cilium/releases/tag/v1.10.11"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.5",
"refsource": "MISC",
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.5"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.9.16",
"refsource": "MISC",
"url": "https://github.com/cilium/cilium/releases/tag/v1.9.16"
}
]
},
"source": {
"advisory": "GHSA-6p8v-8cq8-v2r3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29178",
"datePublished": "2022-05-20T18:15:12",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T06:17:54.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42487
Vulnerability from cvelistv5
Published
2024-08-15 20:26
Modified
2024-08-15 20:46
Severity ?
EPSS score ?
Summary
Cilium's Gateway API route matching order contradicts specification
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/34109 | x_refsource_MISC | |
| https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-15T20:46:25.530673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T20:46:34.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "= 1.16.0"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T20:26:53.455Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww"
},
{
"name": "https://github.com/cilium/cilium/pull/34109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/34109"
},
{
"name": "https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a"
}
],
"source": {
"advisory": "GHSA-qcm3-7879-xcww",
"discovery": "UNKNOWN"
},
"title": "Cilium\u0027s Gateway API route matching order contradicts specification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42487",
"datePublished": "2024-08-15T20:26:53.455Z",
"dateReserved": "2024-08-02T14:13:04.617Z",
"dateUpdated": "2024-08-15T20:46:34.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-42486
Vulnerability from cvelistv5
Published
2024-08-16 14:34
Modified
2024-08-16 14:54
Severity ?
EPSS score ?
Summary
Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/34032 | x_refsource_MISC | |
| https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T14:54:08.118253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T14:54:16.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "= 1.16.0"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium\u0027s GatewayAPI controller, which could lead to Gateway resources being able to access secrets for longer than intended, or to Routes having the ability to forward traffic to backends in other namespaces for longer than intended. This issue has been patched in Cilium v1.15.8 and v1.16.1. As a workaround, any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T14:34:41.560Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm"
},
{
"name": "https://github.com/cilium/cilium/pull/34032",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/34032"
},
{
"name": "https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053"
}
],
"source": {
"advisory": "GHSA-vwf8-q6fw-4wcm",
"discovery": "UNKNOWN"
},
"title": "Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42486",
"datePublished": "2024-08-16T14:34:41.560Z",
"dateReserved": "2024-08-02T14:13:04.617Z",
"dateUpdated": "2024-08-16T14:54:16.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52529
Vulnerability from cvelistv5
Published
2024-11-25 18:49
Modified
2024-11-26 14:28
Severity ?
EPSS score ?
Summary
Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/35150 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"lessThan": "1.16.4",
"status": "affected",
"version": "1.16.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T14:27:46.184253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T14:28:59.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.16.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy\u0027s range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium\u0027s port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T18:49:15.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67"
},
{
"name": "https://github.com/cilium/cilium/pull/35150",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/35150"
}
],
"source": {
"advisory": "GHSA-xg58-75qf-9r67",
"discovery": "UNKNOWN"
},
"title": "Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52529",
"datePublished": "2024-11-25T18:49:15.616Z",
"dateReserved": "2024-11-11T18:49:23.561Z",
"dateUpdated": "2024-11-26T14:28:59.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-30851
Vulnerability from cvelistv5
Published
2023-05-25 17:47
Modified
2024-08-02 14:37
Severity ?
EPSS score ?
Summary
Potential HTTP policy bypass when using header rules in Cilium
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/releases/tag/v1.11.16 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.12.9 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.13.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.467Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.16",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.16"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.12.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.12.9"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.16"
},
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 1.12.9"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-25T17:47:51.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.16"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.12.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.12.9"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.2"
}
],
"source": {
"advisory": "GHSA-2h44-x2wx-49f4",
"discovery": "UNKNOWN"
},
"title": "Potential HTTP policy bypass when using header rules in Cilium"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30851",
"datePublished": "2023-05-25T17:47:51.095Z",
"dateReserved": "2023-04-18T16:13:15.881Z",
"dateUpdated": "2024-08-02T14:37:15.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27594
Vulnerability from cvelistv5
Published
2023-03-17 19:56
Modified
2024-08-02 12:16
Severity ?
EPSS score ?
Summary
Cilium vulnerable to potential network policy bypass when routing IPv6 traffic
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/releases/tag/v1.11.15 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.12.8 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.13.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.15"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.12.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.12.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.15"
},
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 1.12.8"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled.\n\nThis issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default.\n\nThe problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-17T19:56:43.687Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.15"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.12.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.12.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.1"
}
],
"source": {
"advisory": "GHSA-8fg8-jh2h-f2hc",
"discovery": "UNKNOWN"
},
"title": "Cilium vulnerable to potential network policy bypass when routing IPv6 traffic "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27594",
"datePublished": "2023-03-17T19:56:43.687Z",
"dateReserved": "2023-03-04T01:03:53.636Z",
"dateUpdated": "2024-08-02T12:16:35.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27593
Vulnerability from cvelistv5
Published
2023-03-17 19:51
Modified
2024-08-02 12:16
Severity ?
EPSS score ?
Summary
cilium-agent container can access the host via `hostPath` mount
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/24075 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.11.15 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.12.8 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.13.1 | x_refsource_MISC | |
| https://kubernetes.io/docs/reference/access-authn-authz/rbac/ | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx"
},
{
"name": "https://github.com/cilium/cilium/pull/24075",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/pull/24075"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.15"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.12.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.12.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.1"
},
{
"name": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.15"
},
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 1.12.8"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node.\n\nThe issue has been fixed and the fix is available on versions 1.11.15, 1.12.8, and 1.13.1. Some workarounds are available. Kubernetes RBAC should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-17T19:51:16.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx"
},
{
"name": "https://github.com/cilium/cilium/pull/24075",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/24075"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.15"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.12.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.12.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.1"
},
{
"name": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
"tags": [
"x_refsource_MISC"
],
"url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
}
],
"source": {
"advisory": "GHSA-4hc4-pgfx-3mrx",
"discovery": "UNKNOWN"
},
"title": "cilium-agent container can access the host via `hostPath` mount"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27593",
"datePublished": "2023-03-17T19:51:16.689Z",
"dateReserved": "2023-03-04T01:03:53.635Z",
"dateUpdated": "2024-08-02T12:16:35.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29179
Vulnerability from cvelistv5
Published
2022-05-20 18:30
Modified
2024-08-03 06:17
Severity ?
EPSS score ?
Summary
Improper Privilege Management in Cilium
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/releases/tag/v1.10.11 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.11.5 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.9.16 | x_refsource_MISC | |
| https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.9.16"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.16"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"status": "affected",
"version": "\u003e= 1.11.0, \u003c 1.11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Prior to versions 1.9.16, 1.10.11, and 1.11.15, if an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can escalate privileges to cluster admin by using Cilium\u0027s Kubernetes service account. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. There are no known workarounds available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T18:30:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.10.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.9.16"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g"
}
],
"source": {
"advisory": "GHSA-fmrf-gvjp-5j5g",
"discovery": "UNKNOWN"
},
"title": "Improper Privilege Management in Cilium",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29179",
"STATE": "PUBLIC",
"TITLE": "Improper Privilege Management in Cilium"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cilium",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.16"
},
{
"version_value": "\u003e= 1.10.0, \u003c 1.10.11"
},
{
"version_value": "\u003e= 1.11.0, \u003c 1.11.5"
}
]
}
}
]
},
"vendor_name": "cilium"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Prior to versions 1.9.16, 1.10.11, and 1.11.15, if an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can escalate privileges to cluster admin by using Cilium\u0027s Kubernetes service account. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. There are no known workarounds available."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.10.11",
"refsource": "MISC",
"url": "https://github.com/cilium/cilium/releases/tag/v1.10.11"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.11.5",
"refsource": "MISC",
"url": "https://github.com/cilium/cilium/releases/tag/v1.11.5"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.9.16",
"refsource": "MISC",
"url": "https://github.com/cilium/cilium/releases/tag/v1.9.16"
},
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g",
"refsource": "CONFIRM",
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-fmrf-gvjp-5j5g"
}
]
},
"source": {
"advisory": "GHSA-fmrf-gvjp-5j5g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29179",
"datePublished": "2022-05-20T18:30:12",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T06:17:54.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-47825
Vulnerability from cvelistv5
Published
2024-10-21 19:05
Modified
2024-10-21 19:59
Severity ?
EPSS score ?
Summary
CIDR deny policies may not take effect when a more narrow CIDR allow is present
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"lessThan": "1.15.10",
"status": "affected",
"version": "1.15.0",
"versionType": "custom"
},
{
"lessThan": "1.14.16",
"status": "affected",
"version": "1.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47825",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:58:00.432301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:59:01.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.10"
},
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) and this narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`. Note that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it must be to entity `all`.This issue has been patched in Cilium v1.14.16 and v1.15.10. As this issue only affects policies using `enableDefaultDeny: false` or that set `toEntities` to `all`, some workarounds are available. For users with policies using `enableDefaultDeny: false`, remove this configuration option and explicitly define any allow rules required. For users with egress policies that explicitly specify `toEntities: all`, use `toEntities: world`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:05:55.430Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6"
}
],
"source": {
"advisory": "GHSA-3wwx-63fv-pfq6",
"discovery": "UNKNOWN"
},
"title": "CIDR deny policies may not take effect when a more narrow CIDR allow is present"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47825",
"datePublished": "2024-10-21T19:05:55.430Z",
"dateReserved": "2024-10-03T14:06:12.641Z",
"dateUpdated": "2024-10-21T19:59:01.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-29002
Vulnerability from cvelistv5
Published
2023-04-18 21:21
Modified
2024-08-02 13:51
Severity ?
EPSS score ?
Summary
Debug mode leaks confidential data in Cilium
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:39.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7, \u003c 1.11.16"
},
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 1.12.9"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the `cilium-secrets` namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. Output of the sensitive information would occur at Cilium agent restart, when secrets in the namespace are modified, and on creation of Ingress or GatewayAPI resources. This vulnerability is fixed in Cilium releases 1.11.16, 1.12.9, and 1.13.2. Users unable to upgrade should disable debug mode."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-18T21:21:11.033Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8"
}
],
"source": {
"advisory": "GHSA-pg5p-wwp8-97g8",
"discovery": "UNKNOWN"
},
"title": "Debug mode leaks confidential data in Cilium"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29002",
"datePublished": "2023-04-18T21:21:11.033Z",
"dateReserved": "2023-03-29T17:39:16.142Z",
"dateUpdated": "2024-08-02T13:51:39.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28248
Vulnerability from cvelistv5
Published
2024-03-18 21:31
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Cilium intermittent HTTP policy bypass
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85 | x_refsource_CONFIRM | |
| https://docs.cilium.io/en/stable/security/policy/language/#http | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.13.13 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.14.8 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.15.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-21T18:21:21.589831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:04:02.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85"
},
{
"name": "https://docs.cilium.io/en/stable/security/policy/language/#http",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/stable/security/policy/language/#http"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.9, \u003c 1.13.13"
},
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.8"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.9 and prior to versions 1.13.13, 1.14.8, and 1.15.2, Cilium\u0027s HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped. This issue has been patched in Cilium 1.15.2, 1.14.8, and 1.13.13. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T21:33:23.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85"
},
{
"name": "https://docs.cilium.io/en/stable/security/policy/language/#http",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/security/policy/language/#http"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
}
],
"source": {
"advisory": "GHSA-68mj-9pjq-mc85",
"discovery": "UNKNOWN"
},
"title": "Cilium intermittent HTTP policy bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28248",
"datePublished": "2024-03-18T21:31:51.318Z",
"dateReserved": "2024-03-07T14:33:30.036Z",
"dateUpdated": "2024-08-02T00:48:49.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-28249
Vulnerability from cvelistv5
Published
2024-03-18 21:36
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36 | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/releases/tag/v1.13.13 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.14.8 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.15.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T14:34:32.978403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:57.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.13"
},
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.8"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node\u0027s Envoy proxy and pods on other nodes is sent unencrypted and IPsec-eligible traffic between a node\u0027s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.15.2, 1.14.8, and 1.13.13. There is no known workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311: Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T21:36:10.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.15.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
}
],
"source": {
"advisory": "GHSA-j89h-qrvr-xc36",
"discovery": "UNKNOWN"
},
"title": "Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28249",
"datePublished": "2024-03-18T21:36:10.510Z",
"dateReserved": "2024-03-07T14:33:30.036Z",
"dateUpdated": "2024-08-02T00:48:49.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25631
Vulnerability from cvelistv5
Published
2024-02-20 18:08
Modified
2024-08-26 14:46
Severity ?
EPSS score ?
Summary
Unencrypted traffic between pods when using Wireguard and an external kvstore
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4 | x_refsource_CONFIRM | |
| https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore | x_refsource_MISC | |
| https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.14.7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4"
},
{
"name": "https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore"
},
{
"name": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"lessThan": "1.14.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:40:06.425184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:46:55.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311: Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:08:56.946Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4"
},
{
"name": "https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore"
},
{
"name": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.14.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.14.7"
}
],
"source": {
"advisory": "GHSA-x989-52fc-4vr4",
"discovery": "UNKNOWN"
},
"title": "Unencrypted traffic between pods when using Wireguard and an external kvstore"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25631",
"datePublished": "2024-02-20T18:08:56.946Z",
"dateReserved": "2024-02-08T22:26:33.512Z",
"dateUpdated": "2024-08-26T14:46:55.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37307
Vulnerability from cvelistv5
Published
2024-06-13 16:09
Modified
2024-08-19 17:04
Severity ?
EPSS score ?
Summary
Cilium leaks sensitive information in cilium-bugtool
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j"
},
{
"name": "https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"
},
{
"name": "https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a"
},
{
"name": "https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"
},
{
"name": "https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653"
},
{
"name": "https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b"
},
{
"name": "https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"lessThan": "1.13.17",
"status": "affected",
"version": "1.13.0",
"versionType": "custom"
},
{
"lessThan": "1.14.12",
"status": "affected",
"version": "1.14.0",
"versionType": "custom"
},
{
"lessThan": "1.15.6",
"status": "affected",
"version": "1.15.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T17:02:42.581479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T17:04:31.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.17"
},
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.12"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of `cilium-bugtool` can contain sensitive data when the tool is run (with the `--envoy-dump` flag set) against Cilium deployments with the Envoy proxy enabled. Users of the TLS inspection, Ingress with TLS termination, Gateway API with TLS termination, and Kafka network policies with API key filtering features are affected. The sensitive data includes the CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API and the API keys used in Kafka-related network policy. `cilium-bugtool` is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. This issue has been patched in Cilium v1.15.6, v1.14.12, and v1.13.17. There is no workaround to this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T16:09:22.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j"
},
{
"name": "https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"
},
{
"name": "https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a"
},
{
"name": "https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"
},
{
"name": "https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653"
},
{
"name": "https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b"
},
{
"name": "https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61"
}
],
"source": {
"advisory": "GHSA-wh78-7948-358j",
"discovery": "UNKNOWN"
},
"title": "Cilium leaks sensitive information in cilium-bugtool"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37307",
"datePublished": "2024-06-13T16:09:22.378Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-08-19T17:04:31.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-39347
Vulnerability from cvelistv5
Published
2023-09-26 18:30
Modified
2024-09-24 13:45
Severity ?
EPSS score ?
Summary
Cilium NetworkPolicy bypass via pod labels
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww | x_refsource_CONFIRM | |
| https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww"
},
{
"name": "https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T13:24:24.851028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T13:45:29.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.14.0, \u003c 1.14.2"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.7 "
},
{
"status": "affected",
"version": "\u003c 1.12.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels to select the policies which apply to the workload in question. This can affect Cilium network policies that use the namespace, service account or cluster constructs to restrict traffic, Cilium clusterwide network policies that use Cilium namespace labels to select the Pod and Kubernetes network policies. Non-existent construct names can be provided, which bypass all network policies applicable to the construct. For example, providing a pod with a non-existent namespace as the value of the `io.kubernetes.pod.namespace` label results in none of the namespaced CiliumNetworkPolicies applying to the pod in question. This attack requires the attacker to have Kubernetes API Server access, as described in the Cilium Threat Model. This issue has been resolved in: Cilium versions 1.14.2, 1.13.7, and 1.12.14. Users are advised to upgrade. As a workaround an admission webhook can be used to prevent pod label updates to the `k8s:io.kubernetes.pod.namespace` and `io.cilium.k8s.policy.*` keys."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T18:30:00.635Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-gj2r-phwg-6rww"
},
{
"name": "https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker"
}
],
"source": {
"advisory": "GHSA-gj2r-phwg-6rww",
"discovery": "UNKNOWN"
},
"title": "Cilium NetworkPolicy bypass via pod labels"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39347",
"datePublished": "2023-09-26T18:30:00.635Z",
"dateReserved": "2023-07-28T13:26:46.477Z",
"dateUpdated": "2024-09-24T13:45:29.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27595
Vulnerability from cvelistv5
Published
2023-03-17 21:12
Modified
2024-08-02 12:16
Severity ?
EPSS score ?
Summary
Cilium eBPF filters may be temporarily removed during agent restart
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp | x_refsource_CONFIRM | |
| https://github.com/cilium/cilium/pull/24336 | x_refsource_MISC | |
| https://github.com/cilium/cilium/releases/tag/v1.13.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:36.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp"
},
{
"name": "https://github.com/cilium/cilium/pull/24336",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/pull/24336"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "= 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium\u0027s featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-17T21:12:00.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp"
},
{
"name": "https://github.com/cilium/cilium/pull/24336",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/24336"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.13.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.13.1"
}
],
"source": {
"advisory": "GHSA-r5x6-w42p-jhpp",
"discovery": "UNKNOWN"
},
"title": "Cilium eBPF filters may be temporarily removed during agent restart"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27595",
"datePublished": "2023-03-17T21:12:00.903Z",
"dateReserved": "2023-03-04T01:03:53.636Z",
"dateUpdated": "2024-08-02T12:16:36.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}