Vulnerability Details CVE-2024-28250
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (`routingMode=native`) and in Cilium 1.14.4 in tunneling mode (`routingMode=tunnel`). Not that in tunneling mode, `encryption.wireguard.encapsulate` must be set to `true`. There is no known workaround for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.5%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/cilium/cilium/releases/tag/v1.13.13
- https://github.com/cilium/cilium/releases/tag/v1.14.8
- https://github.com/cilium/cilium/releases/tag/v1.15.2
- https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6
- https://github.com/cilium/cilium/releases/tag/v1.13.13
- https://github.com/cilium/cilium/releases/tag/v1.14.8
- https://github.com/cilium/cilium/releases/tag/v1.15.2
- https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6
Products affected by CVE-2024-28250
-
cpe:2.3:a:cilium:cilium:1.14.0
-
cpe:2.3:a:cilium:cilium:1.14.1
-
cpe:2.3:a:cilium:cilium:1.14.2
-
cpe:2.3:a:cilium:cilium:1.14.3
-
cpe:2.3:a:cilium:cilium:1.14.4
-
cpe:2.3:a:cilium:cilium:1.14.5
-
cpe:2.3:a:cilium:cilium:1.14.6
-
cpe:2.3:a:cilium:cilium:1.14.7
-
cpe:2.3:a:cilium:cilium:1.15.0
-
cpe:2.3:a:cilium:cilium:1.15.1