GHSA-g8fc-vrcg-8vjg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g8fc-vrcg-8vjg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-g8fc-vrcg-8vjg/GHSA-g8fc-vrcg-8vjg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g8fc-vrcg-8vjg
- Aliases
- Published
- 2024-04-15T18:13:15Z
- Modified
- 2024-06-04T19:35:51Z
- Summary
- Constallation has pods exposed to peers in VPC
- Details
-
Impact
Cilium allows outside actors (
worldentity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. viaLoadBalancer). A pod that does not authenticate clients and that does not excludeworldtraffic via network policy may leak sensitive data to an attacker inside the cloud VPC.Patches
The issue has been patched in v2.16.3.
Workarounds
This network policy excludes all
worldtraffic. It mitigates the problem, but will also block all desired external traffic. If vulnerable pods are known, a policy can be crafted to only firewall those instead (see also https://docs.cilium.io/en/stable/security/policy/language/#access-to-from-outside-cluster).apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "from-world-to-role-public" spec: endpointSelector: matchLabels: {} # role: public ingressDeny: - fromEntities: - worldReferences
The tracking bug for a Cilium-side fix is https://github.com/cilium/cilium/issues/25626.
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-940" ], "github_reviewed_at": "2024-04-15T18:13:15Z", "nvd_published_at": null, "github_reviewed": true }- References
Affected packages
Go / github.com/edgelesssys/constellation/v2
Package
- Name
- github.com/edgelesssys/constellation/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/edgelesssys/constellation/v2