Cilium: Traffic to/from Ingress and Health Endpoints Not Encrypted in v1.14 Before v1.14.7
CVE-2024-25630

5.3MEDIUM

Key Information:

Vendor

cilium

Status
cilium
Vendor
CVE Published:
20 February 2024

What is CVE-2024-25630?

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.

Affected Version(s)

cilium >= 1.14.0, < 1.14.7

References

https://github.com/cilium/cilium/security/advisories/GHSA...
x_refsource_CONFIRM
https://docs.cilium.io/en/stable/security/network/encrypt...
x_refsource_MISC
https://github.com/cilium/cilium/releases/tag/v1.14.7
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.