CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25630 – Cilium has unencrypted ingress/health traffic when using Wireguard transparent encryption
https://notcve.org/view.php?id=CVE-2024-25630
20 Feb 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue. Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. • https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 2CVE-2023-41332 – Denial of service via Kubernetes annotations in specific Cilium configurations
https://notcve.org/view.php?id=CVE-2023-41332
26 Sep 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium >= v1.13) or `io.cilium.proxy-visibility` annotations (in Cilium <= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to pr... • https://github.com/cilium/cilium/pull/27597 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41333 – Bypass of namespace restrictions in CiliumNetworkPolicy
https://notcve.org/view.php?id=CVE-2023-41333
26 Sep 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted `endpointSelector` that uses the `DoesNotExist` operator on the `reserved:init` label, the attacker can create policies that bypass namespace restrictions and affect the entire Ciliu... • https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39347 – Cilium NetworkPolicy bypass via pod labels
https://notcve.org/view.php?id=CVE-2023-39347
26 Sep 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels to select the policies which apply to the workload in question. This can affect Cilium network policies that use the namespace, service account or cluster constructs to restrict traffic, Cilium clusterwide network ... • https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker • CWE-345: Insufficient Verification of Data Authenticity •