Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-30851 #1791

Closed
GoVulnBot opened this issue May 25, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-30851 #1791

GoVulnBot opened this issue May 25, 2023 · 2 comments
Assignees
@neild
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-30851 references github.com/cilium/cilium, which may be a Go module.

Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple toEndpoints AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    packages:
      - package: cilium
description: |
    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.
cves:
  - CVE-2023-30851
references:
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4
  - web: https://github.com/cilium/cilium/releases/tag/v1.11.16
  - web: https://github.com/cilium/cilium/releases/tag/v1.12.9
  - web: https://github.com/cilium/cilium/releases/tag/v1.13.2
@neild neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jun 21, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/507896 mentions this issue: data/excluded: batch add 10 excluded reports

@tatianab
Copy link
Contributor

tatianab commented Jul 5, 2023

Duplicate of #1785

@tatianab tatianab marked this as a duplicate of #1785 Jul 5, 2023
@tatianab tatianab added duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Jul 5, 2023
@tatianab tatianab closed this as completed Jul 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @tatianab @gopherbot @GoVulnBot