PT-2023-24766 · Cilium · Cilium

Meyskens

Publicado

2023-06-15

Atualizado

2024-08-20

CVE-2023-34242

CVSS v3.1

3.4

Baixa

Vetor

AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cilium versions prior to 1.13.4

Description The issue arises when Gateway API is enabled in Cilium, allowing an attacker on an affected cluster to leverage the absence of a check on the namespace in which a ReferenceGrant is created. This could result in Cilium unintentionally gaining visibility of secrets, including certificates, and services across namespaces. An attacker can use cluster secrets that should not be visible to them or communicate with services they should not have access to. Gateway API functionality is disabled by default.

Recommendations As a temporary workaround, restrict the creation of ReferenceGrant resources to admin users by using Kubernetes RBAC. Update to Cilium release 1.13.4 or later to fix the issue.

Exploit

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

BIT-CILIUM-2023-34242

BIT-CILIUM-OPERATOR-2023-34242

BIT-CILIUM-PROXY-2023-34242

BIT-HUBBLE-2023-34242

BIT-HUBBLE-RELAY-2023-34242

BIT-HUBBLE-UI-2023-34242

BIT-HUBBLE-UI-BACKEND-2023-34242

CVE-2023-34242

GHSA-R7WR-4W5Q-55M6

GO-2023-1862

Produtos afetados

Cilium

PT-2023-24766 · Cilium · Cilium

CVE-2023-34242

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 16