CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52529 – Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium
https://notcve.org/view.php?id=CVE-2024-52529
25 Nov 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy's range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. • https://github.com/cilium/cilium/pull/35150 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42486 – Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API
https://notcve.org/view.php?id=CVE-2024-42486
16 Aug 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway resources being able to access secrets for longer than intended, or to Routes having the ability to forward traffic to backends in other namespaces for longer than intended. This issue has been patched in Cilium v1.15.... • https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42487 – Cilium's Gateway API route matching order contradicts specification
https://notcve.org/view.php?id=CVE-2024-42487
15 Aug 2024 — Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This ... • https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •