CVE-2023-34242

CVSS v3.1

3.4

Low

Vector

AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cilium versions prior to 1.13.4

Description The issue arises when Gateway API is enabled in Cilium, allowing an attacker on an affected cluster to leverage the absence of a check on the namespace in which a ReferenceGrant is created. This could result in Cilium unintentionally gaining visibility of secrets, including certificates, and services across namespaces. An attacker can use cluster secrets that should not be visible to them or communicate with services they should not have access to. Gateway API functionality is disabled by default.

Recommendations As a temporary workaround, restrict the creation of ReferenceGrant resources to admin users by using Kubernetes RBAC. Update to Cilium release 1.13.4 or later to fix the issue.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BIT-CILIUM-2023-34242

BIT-CILIUM-OPERATOR-2023-34242

BIT-CILIUM-PROXY-2023-34242

BIT-HUBBLE-2023-34242

BIT-HUBBLE-RELAY-2023-34242

BIT-HUBBLE-UI-2023-34242

BIT-HUBBLE-UI-BACKEND-2023-34242

CVE-2023-34242

GHSA-R7WR-4W5Q-55M6

GO-2023-1862

Affected Products

Cilium

CVE-2023-34242

Weakness Enumeration

Related Identifiers

Affected Products

References · 16