CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42488 – Cilium agent's race condition may lead to policy bypass for Host Firewall policy
https://notcve.org/view.php?id=CVE-2024-42488
15 Aug 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade... • https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28860 – Insecure IPsec transport encryption in Cilium
https://notcve.org/view.php?id=CVE-2024-28860
27 Mar 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key recovery, replay attacks by a man-in-the-middle attacker. These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique ke... • https://docs.cilium.io/en/stable/security/network/encryption-ipsec • CWE-326: Inadequate Encryption Strength •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28249 – Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies
https://notcve.org/view.php?id=CVE-2024-28249
18 Mar 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sent unencrypted and IPsec-eligible traffic between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.15.2, 1.14.8, and 1.13.13. There is no known workaround for t... • https://github.com/cilium/cilium/releases/tag/v1.13.13 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25631 – Unencrypted traffic between pods when using Wireguard and an external kvstore
https://notcve.org/view.php?id=CVE-2024-25631
20 Feb 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue. Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. • https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 2CVE-2023-41332 – Denial of service via Kubernetes annotations in specific Cilium configurations
https://notcve.org/view.php?id=CVE-2023-41332
26 Sep 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium >= v1.13) or `io.cilium.proxy-visibility` annotations (in Cilium <= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to pr... • https://github.com/cilium/cilium/pull/27597 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41333 – Bypass of namespace restrictions in CiliumNetworkPolicy
https://notcve.org/view.php?id=CVE-2023-41333
26 Sep 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted `endpointSelector` that uses the `DoesNotExist` operator on the `reserved:init` label, the attacker can create policies that bypass namespace restrictions and affect the entire Ciliu... • https://docs.cilium.io/en/stable/security/threat-model/#kubernetes-api-server-attacker • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39347 – Cilium NetworkPolicy bypass via pod labels
https://notcve.org/view.php?id=CVE-2023-39347
26 Sep 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels to select the policies which apply to the workload in question. This can affect Cilium network policies that use the namespace, service account or cluster constructs to restrict traffic, Cilium clusterwide network ... • https://docs.cilium.io/en/latest/security/threat-model/#kubernetes-api-server-attacker • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34242 – Cilium vulnerable to information leakage via incorrect ReferenceGrant handling
https://notcve.org/view.php?id=CVE-2023-34242
15 Jun 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can leverage this issue to use cluster secrets that should not be visible to them, or communicate with services that th... • https://github.com/cilium/cilium/releases/tag/v1.13.4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30851 – Potential HTTP policy bypass when using header rules in Cilium
https://notcve.org/view.php?id=CVE-2023-30851
25 May 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2. • https://github.com/cilium/cilium/releases/tag/v1.11.16 • CWE-693: Protection Mechanism Failure •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29002 – Debug mode leaks confidential data in Cilium
https://notcve.org/view.php?id=CVE-2023-29002
18 Apr 2023 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the `cilium-secrets` namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. Output of the sensitive information would occur at Cilium agent restart, when secr... • https://github.com/cilium/cilium/security/advisories/GHSA-pg5p-wwp8-97g8 • CWE-532: Insertion of Sensitive Information into Log File •