CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-47825 – CIDR deny policies may not take effect when a more narrow CIDR allow is present
https://notcve.org/view.php?id=CVE-2024-47825
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) and this narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`. Note that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it must be to entity `all`.This issue has been patched in Cilium v1.14.16 and v1.15.10. As this issue only affects policies using `enableDefaultDeny: false` or that set `toEntities` to `all`, some workarounds are available. For users with policies using `enableDefaultDeny: false`, remove this configuration option and explicitly define any allow rules required. • https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6 • CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42486 – Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API
https://notcve.org/view.php?id=CVE-2024-42486
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway resources being able to access secrets for longer than intended, or to Routes having the ability to forward traffic to backends in other namespaces for longer than intended. This issue has been patched in Cilium v1.15.8 and v1.16.1. As a workaround, any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster. • https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053 https://github.com/cilium/cilium/pull/34032 https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42488 – Cilium agent's race condition may lead to policy bypass for Host Firewall policy
https://notcve.org/view.php?id=CVE-2024-42488
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected. • https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw https://github.com/cilium/cilium/pull/33511 https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42487 – Cilium's Gateway API route matching order contradicts specification
https://notcve.org/view.php?id=CVE-2024-42487
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue. • https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww https://github.com/cilium/cilium/pull/34109 https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37307 – Cilium leaks sensitive information in cilium-bugtool
https://notcve.org/view.php?id=CVE-2024-37307
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of `cilium-bugtool` can contain sensitive data when the tool is run (with the `--envoy-dump` flag set) against Cilium deployments with the Envoy proxy enabled. Users of the TLS inspection, Ingress with TLS termination, Gateway API with TLS termination, and Kafka network policies with API key filtering features are affected. The sensitive data includes the CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API and the API keys used in Kafka-related network policy. `cilium-bugtool` is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. • https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407 https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741 https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653 https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61 https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •