Moderate severityNVD Advisory· Published May 25, 2023· Updated Jan 16, 2025
Potential HTTP policy bypass when using header rules in Cilium
CVE-2023-30851
Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple toEndpoints AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cilium/ciliumGo | < 1.11.16 | 1.11.16 |
github.com/cilium/ciliumGo | >= 1.12.0, < 1.12.9 | 1.12.9 |
github.com/cilium/ciliumGo | >= 1.13.0, < 1.13.2 | 1.13.2 |
Affected products
60- osv-coords59 versionspkg:apk/chainguard/cilium-1.14pkg:apk/chainguard/cilium-1.14-clustermesh-apiserverpkg:apk/chainguard/cilium-1.14-container-initpkg:apk/chainguard/cilium-1.14-container-init-compatpkg:apk/chainguard/cilium-1.14-hubble-relaypkg:apk/chainguard/cilium-1.14-iptablespkg:apk/chainguard/cilium-1.14-operator-awspkg:apk/chainguard/cilium-1.14-operator-genericpkg:apk/chainguard/cilium-1.15pkg:apk/chainguard/cilium-1.15-clustermesh-apiserverpkg:apk/chainguard/cilium-1.15-container-initpkg:apk/chainguard/cilium-1.15-container-init-compatpkg:apk/chainguard/cilium-1.15-hubble-relaypkg:apk/chainguard/cilium-1.15-iptablespkg:apk/chainguard/cilium-1.15-operator-awspkg:apk/chainguard/cilium-1.15-operator-genericpkg:apk/chainguard/cilium-fips-1.14pkg:apk/chainguard/cilium-fips-1.14-clustermesh-apiserverpkg:apk/chainguard/cilium-fips-1.14-compatpkg:apk/chainguard/cilium-fips-1.14-container-initpkg:apk/chainguard/cilium-fips-1.14-container-init-compatpkg:apk/chainguard/cilium-fips-1.14-host-utilspkg:apk/chainguard/cilium-fips-1.14-hubble-relaypkg:apk/chainguard/cilium-fips-1.14-iptablespkg:apk/chainguard/cilium-fips-1.14-operator-awspkg:apk/chainguard/cilium-fips-1.14-operator-azurepkg:apk/chainguard/cilium-fips-1.14-operator-genericpkg:apk/chainguard/cilium-fips-1.15pkg:apk/chainguard/cilium-fips-1.15-clustermesh-apiserverpkg:apk/chainguard/cilium-fips-1.15-container-initpkg:apk/chainguard/cilium-fips-1.15-container-init-compatpkg:apk/chainguard/cilium-fips-1.15-host-utilspkg:apk/chainguard/cilium-fips-1.15-hubble-relaypkg:apk/chainguard/cilium-fips-1.15-operator-awspkg:apk/chainguard/cilium-fips-1.15-operator-azurepkg:apk/chainguard/cilium-fips-1.15-operator-genericpkg:apk/chainguard/hubble-ui-backendpkg:apk/wolfi/cilium-1.14pkg:apk/wolfi/cilium-1.14-container-initpkg:apk/wolfi/cilium-1.14-container-init-compatpkg:apk/wolfi/cilium-1.14-hubble-relaypkg:apk/wolfi/cilium-1.14-iptablespkg:apk/wolfi/cilium-1.14-operator-genericpkg:apk/wolfi/cilium-1.15pkg:apk/wolfi/cilium-1.15-container-initpkg:apk/wolfi/cilium-1.15-container-init-compatpkg:apk/wolfi/cilium-1.15-hubble-relaypkg:apk/wolfi/cilium-1.15-iptablespkg:apk/wolfi/cilium-1.15-operator-awspkg:apk/wolfi/cilium-1.15-operator-genericpkg:apk/wolfi/hubble-ui-backendpkg:bitnami/ciliumpkg:bitnami/cilium-operatorpkg:bitnami/cilium-proxypkg:bitnami/hubblepkg:bitnami/hubble-relaypkg:bitnami/hubble-uipkg:bitnami/hubble-ui-backendpkg:golang/github.com/cilium/cilium
< 1.14.19-r23+ 58 more
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 1.14.19-r24
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.12.0-r0
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 1.14.19-r23
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.12.0-r0
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
- (no CPE)range: < 1.11.16
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2h44-x2wx-49f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30851ghsaADVISORY
- github.com/cilium/cilium/releases/tag/v1.11.16ghsax_refsource_MISCWEB
- github.com/cilium/cilium/releases/tag/v1.12.9ghsax_refsource_MISCWEB
- github.com/cilium/cilium/releases/tag/v1.13.2ghsax_refsource_MISCWEB
- github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.