apk package
wolfi/cilium-1.14-iptables
pkg:apk/wolfi/cilium-1.14-iptables
Vulnerabilities (60)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-24787 | Med | 6.4 | < 1.14.11-r0 | 1.14.11-r0 | May 8, 2024 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. | |
| CVE-2023-46565 | Hig | 7.5 | < 1.14.19-r34 | 1.14.19-r34 | Apr 29, 2024 | Buffer Overflow vulnerability in osrg gobgp commit 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to cause a denial of service via the handlingError function in pkg/server/fsm.go. | |
| CVE-2023-45288 | Hig | 7.5 | < 1.14.9-r5 | 1.14.9-r5 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-28860 | — | < 1.14.19-r34 | 1.14.19-r34 | Mar 27, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen | ||
| CVE-2024-28250 | — | < 1.14.8-r0 | 1.14.8-r0 | Mar 18, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent b | ||
| CVE-2024-28249 | — | < 1.14.19-r34 | 1.14.19-r34 | Mar 18, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on o | ||
| CVE-2024-28248 | — | < 1.14.8-r0 | 1.14.8-r0 | Mar 18, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.9 and prior to versions 1.13.13, 1.14.8, and 1.15.2, Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTT | ||
| CVE-2024-28180 | — | < 1.14.7-r0 | 1.14.7-r0 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret | ||
| CVE-2024-24786 | Hig | 7.5 | < 1.14.19-r34 | 1.14.19-r34 | Mar 5, 2024 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | |
| CVE-2024-25631 | — | < 1.14.19-r23 | 1.14.19-r23 | Feb 20, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 be | ||
| CVE-2024-25630 | — | < 1.14.19-r23 | 1.14.19-r23 | Feb 20, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted | ||
| CVE-2023-41332 | — | < 1.14.19-r23 | 1.14.19-r23 | Sep 26, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium >= v1.13) or `io.cilium.proxy-visibilit | ||
| CVE-2023-41333 | — | < 1.14.19-r23 | 1.14.19-r23 | Sep 26, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy en | ||
| CVE-2023-39347 | — | < 1.14.19-r23 | 1.14.19-r23 | Sep 26, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-pr | ||
| CVE-2023-30851 | — | < 1.14.19-r23 | 1.14.19-r23 | May 25, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wi | ||
| CVE-2023-27594 | — | < 1.14.19-r23 | 1.14.19-r23 | Mar 17, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from | ||
| CVE-2023-27593 | — | < 1.14.19-r23 | 1.14.19-r23 | Mar 17, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By rep | ||
| CVE-2022-29179 | — | < 1.14.19-r23 | 1.14.19-r23 | May 20, 2022 | Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Prior to versions 1.9.16, 1.10.11, and 1.11.15, if an attacker is able to perform a container escape of a container running as root on a host where Cili | ||
| CVE-2022-29178 | — | < 1.14.19-r23 | 1.14.19-r23 | May 20, 2022 | Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to | ||
| CVE-2020-8559 | — | < 1.14.19-r23 | 1.14.19-r23 | Jul 22, 2020 | The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. |
- affected < 1.14.11-r0fixed 1.14.11-r0
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
- affected < 1.14.19-r34fixed 1.14.19-r34
Buffer Overflow vulnerability in osrg gobgp commit 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to cause a denial of service via the handlingError function in pkg/server/fsm.go.
- affected < 1.14.9-r5fixed 1.14.9-r5
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2024-28860Mar 27, 2024affected < 1.14.19-r34fixed 1.14.19-r34
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen
- CVE-2024-28250Mar 18, 2024affected < 1.14.8-r0fixed 1.14.8-r0
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent b
- CVE-2024-28249Mar 18, 2024affected < 1.14.19-r34fixed 1.14.19-r34
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on o
- CVE-2024-28248Mar 18, 2024affected < 1.14.8-r0fixed 1.14.8-r0
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.9 and prior to versions 1.13.13, 1.14.8, and 1.15.2, Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTT
- CVE-2024-28180Mar 9, 2024affected < 1.14.7-r0fixed 1.14.7-r0
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
- affected < 1.14.19-r34fixed 1.14.19-r34
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
- CVE-2024-25631Feb 20, 2024affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 be
- CVE-2024-25630Feb 20, 2024affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted
- CVE-2023-41332Sep 26, 2023affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium >= v1.13) or `io.cilium.proxy-visibilit
- CVE-2023-41333Sep 26, 2023affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy en
- CVE-2023-39347Sep 26, 2023affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-pr
- CVE-2023-30851May 25, 2023affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wi
- CVE-2023-27594Mar 17, 2023affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from
- CVE-2023-27593Mar 17, 2023affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By rep
- CVE-2022-29179May 20, 2022affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Prior to versions 1.9.16, 1.10.11, and 1.11.15, if an attacker is able to perform a container escape of a container running as root on a host where Cili
- CVE-2022-29178May 20, 2022affected < 1.14.19-r23fixed 1.14.19-r23
Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to
- CVE-2020-8559Jul 22, 2020affected < 1.14.19-r23fixed 1.14.19-r23
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
Page 3 of 3