CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23047 – Cilium vulnerable to information leakage via insecure default Hubble UI CORS header
https://notcve.org/view.php?id=CVE-2025-23047
22 Jan 2025 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default `Access-Control-Allow-Origin` header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI... • https://github.com/cilium/cilium/commit/a3489f190ba6e87b5336ee685fb6c80b1270d06d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23028 – DoS in Cilium agent DNS proxy from crafted DNS responses
https://notcve.org/view.php?id=CVE-2025-23028
22 Jan 2025 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as con... • https://github.com/cilium/cilium/pull/36252 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-47825 – CIDR deny policies may not take effect when a more narrow CIDR allow is present
https://notcve.org/view.php?id=CVE-2024-47825
21 Oct 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) and this narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`. Note that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it mu... • https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6 • CWE-276: Incorrect Default Permissions •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42488 – Cilium agent's race condition may lead to policy bypass for Host Firewall policy
https://notcve.org/view.php?id=CVE-2024-42488
15 Aug 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade... • https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37307 – Cilium leaks sensitive information in cilium-bugtool
https://notcve.org/view.php?id=CVE-2024-37307
13 Jun 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of `cilium-bugtool` can contain sensitive data when the tool is run (with the `--envoy-dump` flag set) against Cilium deployments with the Envoy proxy enabled. Users of the TLS inspection, Ingress with TLS termination, Gateway API with TLS termination, and Kafka network policies with API key filtering features are affected. The se... • https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28860 – Insecure IPsec transport encryption in Cilium
https://notcve.org/view.php?id=CVE-2024-28860
27 Mar 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key recovery, replay attacks by a man-in-the-middle attacker. These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique ke... • https://docs.cilium.io/en/stable/security/network/encryption-ipsec • CWE-326: Inadequate Encryption Strength •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-28250 – Cilium has possible unencrypted traffic between nodes when using WireGuard and L7 policies
https://notcve.org/view.php?id=CVE-2024-28250
18 Mar 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.... • https://github.com/cilium/cilium/releases/tag/v1.13.13 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28249 – Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies
https://notcve.org/view.php?id=CVE-2024-28249
18 Mar 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sent unencrypted and IPsec-eligible traffic between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.15.2, 1.14.8, and 1.13.13. There is no known workaround for t... • https://github.com/cilium/cilium/releases/tag/v1.13.13 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28248 – Cilium intermittent HTTP policy bypass
https://notcve.org/view.php?id=CVE-2024-28248
18 Mar 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.9 and prior to versions 1.13.13, 1.14.8, and 1.15.2, Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped. This issue has been patched in Cilium 1.15.2, 1.14.8, and 1.13.13. There are no known workarounds for this issue. Cilium es una solución de redes, o... • https://docs.cilium.io/en/stable/security/policy/language/# • CWE-693: Protection Mechanism Failure •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25631 – Unencrypted traffic between pods when using Wireguard and an external kvstore
https://notcve.org/view.php?id=CVE-2024-25631
20 Feb 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue. Cilium es una solución de redes, observabilidad y seguridad con un plano de datos basado en eBPF. • https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore • CWE-311: Missing Encryption of Sensitive Data •