Advisory GHSA-3wwx-63fv-pfq6 references a vulnerability in the following Go modules:
Description:
Impact
A policy rule denying a prefix that is broader than /32 may be ignored if there is
- A policy rule referencing a more narrow prefix (
CIDRSet or toFQDN) and
- This narrower policy rule specifies either
enableDefaultDeny: false or - toEntities: all
Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.
As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: block-scary-range
spec:...
References:
- ADVISORY: https://github.com/advisories/GHSA-3wwx-63fv-pfq6
- ADVISORY: https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6
- FIX: https://github.com/cilium/cilium/commit/02d28d9ac9afcaddd301fae6fb4d6cda8c2d0c45
- FIX: https://github.com/cilium/cilium/commit/9c01afb5646af3f0c696421a410dc66c513b6524
Cross references:
- github.com/cilium/cilium appears in 24 other report(s):
- data/excluded/GO-2022-0530.yaml (https://github.com/golang/vulndb/issues/530) NOT_GO_CODE
- data/excluded/GO-2023-1642.yaml (https://github.com/golang/vulndb/issues/1642) NOT_GO_CODE
- data/reports/GO-2022-0393.yaml (https://github.com/golang/vulndb/issues/393)
- data/reports/GO-2022-0457.yaml (https://github.com/golang/vulndb/issues/457)
- data/reports/GO-2022-0458.yaml (https://github.com/golang/vulndb/issues/458)
- data/reports/GO-2022-0959.yaml (https://github.com/golang/vulndb/issues/959)
- data/reports/GO-2023-1643.yaml (https://github.com/golang/vulndb/issues/1643)
- data/reports/GO-2023-1644.yaml (https://github.com/golang/vulndb/issues/1644)
- data/reports/GO-2023-1730.yaml (https://github.com/golang/vulndb/issues/1730)
- data/reports/GO-2023-1785.yaml (https://github.com/golang/vulndb/issues/1785)
- data/reports/GO-2023-1862.yaml (https://github.com/golang/vulndb/issues/1862)
- data/reports/GO-2023-2078.yaml (https://github.com/golang/vulndb/issues/2078)
- data/reports/GO-2023-2079.yaml (https://github.com/golang/vulndb/issues/2079)
- data/reports/GO-2023-2080.yaml (https://github.com/golang/vulndb/issues/2080)
- data/reports/GO-2024-2568.yaml (https://github.com/golang/vulndb/issues/2568)
- data/reports/GO-2024-2569.yaml (https://github.com/golang/vulndb/issues/2569)
- data/reports/GO-2024-2653.yaml (https://github.com/golang/vulndb/issues/2653)
- data/reports/GO-2024-2656.yaml (https://github.com/golang/vulndb/issues/2656)
- data/reports/GO-2024-2657.yaml (https://github.com/golang/vulndb/issues/2657)
- data/reports/GO-2024-2666.yaml (https://github.com/golang/vulndb/issues/2666)
- data/reports/GO-2024-2922.yaml (https://github.com/golang/vulndb/issues/2922)
- data/reports/GO-2024-3071.yaml (https://github.com/golang/vulndb/issues/3071)
- data/reports/GO-2024-3072.yaml (https://github.com/golang/vulndb/issues/3072)
- data/reports/GO-2024-3074.yaml (https://github.com/golang/vulndb/issues/3074)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/cilium/cilium
versions:
- introduced: 1.14.0
- fixed: 1.14.16
- introduced: 1.15.0
- fixed: 1.15.10
vulnerable_at: 1.15.9
summary: |-
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is
present in github.com/cilium/cilium
cves:
- CVE-2024-47825
ghsas:
- GHSA-3wwx-63fv-pfq6
references:
- advisory: GHSA-3wwx-63fv-pfq6
- advisory: GHSA-3wwx-63fv-pfq6
- fix: cilium/cilium@02d28d9
- fix: cilium/cilium@9c01afb
source:
id: GHSA-3wwx-63fv-pfq6
created: 2024-10-21T20:02:40.239272367Z
review_status: UNREVIEWED
Advisory GHSA-3wwx-63fv-pfq6 references a vulnerability in the following Go modules:
Description:
Impact
A policy rule denying a prefix that is broader than /32 may be ignored if there is
CIDRSetortoFQDN) andenableDefaultDeny: falseor- toEntities: allNote that a rule specifying
toEntities: worldortoEntities: 0.0.0.0/0is insufficient, it must be to entityall.As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:
id: GO-ID-PENDING
modules:
- module: github.com/cilium/cilium
versions:
- introduced: 1.14.0
- fixed: 1.14.16
- introduced: 1.15.0
- fixed: 1.15.10
vulnerable_at: 1.15.9
summary: |-
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is
present in github.com/cilium/cilium
cves:
- CVE-2024-47825
ghsas:
- GHSA-3wwx-63fv-pfq6
references:
- advisory: GHSA-3wwx-63fv-pfq6
- advisory: GHSA-3wwx-63fv-pfq6
- fix: cilium/cilium@02d28d9
- fix: cilium/cilium@9c01afb
source:
id: GHSA-3wwx-63fv-pfq6
created: 2024-10-21T20:02:40.239272367Z
review_status: UNREVIEWED