Giorio94

**Name of the Vulnerable Software and Affected Versions** Cilium versions prior to 1.13.13 Cilium versions prior to 1.14.8 Cilium versions prior to 1.15.2 Cilium versions 1.4 through 1.12 **Description** In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sent unencrypted, and IPsec-eligible traffic between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue affects connections selected by a L7 Egress Network Policy or a DNS Policy in native routing mode, which is a known limitation of Cilium's IPsec encryption. **Recommendations** For Cilium versions prior to 1.13.13, update to version 1.13.13 or later. For Cilium versions prior to 1.14.8, update to version 1.14.8 or later. For Cilium versions prior to 1.15.2, update to version 1.15.2 or later. For Cilium versions 1.4 through 1.12, update to a version outside of this range, such as 1.13.13, 1.14.8, or 1.15.2. As a temporary workaround is not available, updating to the specified versions is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** Cilium versions 1.14.0 through 1.14.7 Cilium versions 1.15.0 through 1.15.1 Cilium version 1.14.4 with `encryption.wireguard.encapsulate` set to `false` in tunneling mode **Description** In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies, WireGuard-eligible traffic sent between a node's Envoy proxy and pods on other nodes is sent unencrypted, and WireGuard-eligible traffic sent between a node's DNS proxy and pods on other nodes is sent unencrypted. **Recommendations** For Cilium versions 1.14.0 through 1.14.7, update to version 1.14.8 or later in native routing mode. For Cilium versions 1.15.0 through 1.15.1, update to version 1.15.2 or later in native routing mode. For Cilium version 1.14.4 in tunneling mode, set `encryption.wireguard.encapsulate` to `true` to resolve the issue. There is no known workaround for this issue.

**Name of the Vulnerable Software and Affected Versions** cilium-cli versions prior to 0.13.2 **Description** The issue arises when `cilium-cli` is used to configure cluster mesh functionality, potentially removing the enforcement of user permissions on the `etcd` store. This occurs due to an incorrect mount point specification, causing the settings specified by the `initContainer` to be overwritten. As a result, an attacker with access to a valid key and certificate for the compromised `etcd` cluster could modify its state. **Recommendations** For versions prior to 0.13.2, update to version 0.13.2 to resolve the issue. As a temporary workaround, consider using Cilium's Helm charts to create the cluster instead of `cilium-cli`.