CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30851 – Potential HTTP policy bypass when using header rules in Cilium
https://notcve.org/view.php?id=CVE-2023-30851
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2. • https://github.com/cilium/cilium/releases/tag/v1.11.16 https://github.com/cilium/cilium/releases/tag/v1.12.9 https://github.com/cilium/cilium/releases/tag/v1.13.2 https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4 • CWE-693: Protection Mechanism Failure •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29002 – Debug mode leaks confidential data in Cilium
https://notcve.org/view.php?id=CVE-2023-29002
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the `cilium-secrets` namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. Output of the sensitive information would occur at Cilium agent restart, when secrets in the namespace are modified, and on creation of Ingress or GatewayAPI resources. • https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28114 – `cilium-cli` disables etcd authorization for clustermesh clusters
https://notcve.org/view.php?id=CVE-2023-28114
`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. This issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium's Helm charts to create their cluster. • https://artifacthub.io/packages/helm/cilium/cilium https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610 https://github.com/cilium/cilium-cli/releases/tag/v0.13.2 https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27595 – Cilium eBPF filters may be temporarily removed during agent restart
https://notcve.org/view.php?id=CVE-2023-27595
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). • https://github.com/cilium/cilium/pull/24336 https://github.com/cilium/cilium/releases/tag/v1.13.1 https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-27594 – Cilium vulnerable to potential network policy bypass when routing IPv6 traffic
https://notcve.org/view.php?id=CVE-2023-27594
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default. The problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing. • https://github.com/cilium/cilium/releases/tag/v1.11.15 https://github.com/cilium/cilium/releases/tag/v1.12.8 https://github.com/cilium/cilium/releases/tag/v1.13.1 https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •