Skip to content

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-3wwx-63fv-pfq6 #3208

Description

@GoVulnBot

Advisory GHSA-3wwx-63fv-pfq6 references a vulnerability in the following Go modules:

Module
github.com/cilium/cilium

Description:

Impact

A policy rule denying a prefix that is broader than /32 may be ignored if there is

  • A policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and
  • This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all

Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.

As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: block-scary-range
spec:...

References:
- ADVISORY: https://github.com/advisories/GHSA-3wwx-63fv-pfq6
- ADVISORY: https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6
- FIX: https://github.com/cilium/cilium/commit/02d28d9ac9afcaddd301fae6fb4d6cda8c2d0c45
- FIX: https://github.com/cilium/cilium/commit/9c01afb5646af3f0c696421a410dc66c513b6524

Cross references:
- github.com/cilium/cilium appears in 24 other report(s):
  - data/excluded/GO-2022-0530.yaml    (https://github.com/golang/vulndb/issues/530)    NOT_GO_CODE
  - data/excluded/GO-2023-1642.yaml    (https://github.com/golang/vulndb/issues/1642)    NOT_GO_CODE
  - data/reports/GO-2022-0393.yaml    (https://github.com/golang/vulndb/issues/393)
  - data/reports/GO-2022-0457.yaml    (https://github.com/golang/vulndb/issues/457)
  - data/reports/GO-2022-0458.yaml    (https://github.com/golang/vulndb/issues/458)
  - data/reports/GO-2022-0959.yaml    (https://github.com/golang/vulndb/issues/959)
  - data/reports/GO-2023-1643.yaml    (https://github.com/golang/vulndb/issues/1643)
  - data/reports/GO-2023-1644.yaml    (https://github.com/golang/vulndb/issues/1644)
  - data/reports/GO-2023-1730.yaml    (https://github.com/golang/vulndb/issues/1730)
  - data/reports/GO-2023-1785.yaml    (https://github.com/golang/vulndb/issues/1785)
  - data/reports/GO-2023-1862.yaml    (https://github.com/golang/vulndb/issues/1862)
  - data/reports/GO-2023-2078.yaml    (https://github.com/golang/vulndb/issues/2078)
  - data/reports/GO-2023-2079.yaml    (https://github.com/golang/vulndb/issues/2079)
  - data/reports/GO-2023-2080.yaml    (https://github.com/golang/vulndb/issues/2080)
  - data/reports/GO-2024-2568.yaml    (https://github.com/golang/vulndb/issues/2568)
  - data/reports/GO-2024-2569.yaml    (https://github.com/golang/vulndb/issues/2569)
  - data/reports/GO-2024-2653.yaml    (https://github.com/golang/vulndb/issues/2653)
  - data/reports/GO-2024-2656.yaml    (https://github.com/golang/vulndb/issues/2656)
  - data/reports/GO-2024-2657.yaml    (https://github.com/golang/vulndb/issues/2657)
  - data/reports/GO-2024-2666.yaml    (https://github.com/golang/vulndb/issues/2666)
  - data/reports/GO-2024-2922.yaml    (https://github.com/golang/vulndb/issues/2922)
  - data/reports/GO-2024-3071.yaml    (https://github.com/golang/vulndb/issues/3071)
  - data/reports/GO-2024-3072.yaml    (https://github.com/golang/vulndb/issues/3072)
  - data/reports/GO-2024-3074.yaml    (https://github.com/golang/vulndb/issues/3074)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: github.com/cilium/cilium
versions:
- introduced: 1.14.0
- fixed: 1.14.16
- introduced: 1.15.0
- fixed: 1.15.10
vulnerable_at: 1.15.9
summary: |-
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is
present in github.com/cilium/cilium
cves:
- CVE-2024-47825
ghsas:
- GHSA-3wwx-63fv-pfq6
references:
- advisory: GHSA-3wwx-63fv-pfq6
- advisory: GHSA-3wwx-63fv-pfq6
- fix: cilium/cilium@02d28d9
- fix: cilium/cilium@9c01afb
source:
id: GHSA-3wwx-63fv-pfq6
created: 2024-10-21T20:02:40.239272367Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions