CVE-2023-30851
MEDIUM5.3EPSS 0.17%Potential HTTP policy bypass when using header rules in Cilium
發布日:2023/5/22修改日:2024/8/20
也稱為:GHSA-2h44-x2wx-49f4BIT-cilium-2023-30851BIT-cilium-operator-2023-30851BIT-cilium-proxy-2023-30851BIT-hubble-2023-30851BIT-hubble-relay-2023-30851BIT-hubble-ui-2023-30851BIT-hubble-ui-backend-2023-30851CGA-xrqg-267f-7382GO-2023-1785
描述
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.
受影響套件(9)
- Bitnami/ciliumfrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Bitnami/cilium-operatorfrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Bitnami/cilium-proxyfrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Bitnami/hubblefrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Bitnami/hubble-relayfrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Bitnami/hubble-uifrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Bitnami/hubble-ui-backendfrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Go/github.com/cilium/ciliumfrom 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
- Go/github.com/cilium/ciliumfrom 0, < 1.11.16
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-30851
- PATCHhttps://github.com/cilium/cilium
- WEBhttps://github.com/cilium/cilium/releases/tag/v1.11.16
- WEBhttps://github.com/cilium/cilium/releases/tag/v1.12.9
- WEBhttps://github.com/cilium/cilium/releases/tag/v1.13.2
- WEBhttps://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4