Information Disclosure

2023-06-2602:42:54

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cilium

gateway api

information disclosure

tls secret

namespace checks

attack

cluster secrets

services

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

18.4%

JSON

github.com/cilium/cilium is vulnerable to Information Disclosure. The vulnerability exists due to the lack of namespace checks for TLS secret references in the Gateway API, which allows an attacker to gain access to secrets (including certificates) and services across namespaces and configure Cilium to use cluster secrets or communicate with services that it should not have access when the Gateway API is enabled.

CPENameOperatorVersion
github.com/cilium/ciliumle1.13.3
github.com/cilium/ciliumle1.14.0-snapshot.3
github.com/cilium/ciliumle1.13.3
github.com/cilium/ciliumle1.14.0-snapshot.3

Name	Operator	Version
github.com/cilium/cilium	le	1.13.3
github.com/cilium/cilium	le	1.14.0-snapshot.3
github.com/cilium/cilium	le	1.13.3
github.com/cilium/cilium	le	1.14.0-snapshot.3