Ciffelia

**Name of the Vulnerable Software and Affected Versions** Cilium versions 1.14.0 through 1.14.7 Cilium versions 1.15.0 through 1.15.11 Cilium versions 1.16.0 through 1.16.4 **Description** Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default `Access-Control-Allow-Origin` header value could lead to sensitive data exposure for users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this issue to be exploited, a victim would have to first visit a malicious page. **Recommendations** For versions 1.14.0 through 1.14.7, update to version 1.14.18 or later. For versions 1.15.0 through 1.15.11, update to version 1.15.12 or later. For versions 1.16.0 through 1.16.4, update to version 1.16.5 or later. As a temporary workaround, users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template.

**Name of the Vulnerable Software and Affected Versions** nano-id versions prior to 0.4.0 **Description** Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano id::base62` and `nano id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. **Recommendations** To resolve the issue, update to version 0.4.0 or later, as the vulnerability is fixed in this version. As a temporary workaround, consider avoiding the use of `nano id::base62` and `nano id::base58` functions until a patch is available. Restrict access to security-sensitive contexts where the generated IDs are used to minimize the risk of exploitation.