chore(deps): update module github.com/cilium/cilium to v1.15.13 [security] (main) #3351
+1
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.15.1
->v1.15.13
HTTP policy bypass in github.com/cilium/cilium
BIT-cilium-2024-28248 / BIT-cilium-operator-2024-28248 / BIT-cilium-proxy-2024-28248 / BIT-hubble-2024-28248 / BIT-hubble-relay-2024-28248 / BIT-hubble-ui-2024-28248 / BIT-hubble-ui-backend-2024-28248 / CVE-2024-28248 / GHSA-68mj-9pjq-mc85 / GO-2024-2653
More information
Details
Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Unencrypted traffic between nodes when using IPsec and L7 policies
BIT-cilium-2024-28249 / BIT-cilium-operator-2024-28249 / BIT-cilium-proxy-2024-28249 / BIT-hubble-2024-28249 / BIT-hubble-relay-2024-28249 / BIT-hubble-ui-2024-28249 / BIT-hubble-ui-backend-2024-28249 / CGA-357h-gw82-jhpp / CVE-2024-28249 / GHSA-j89h-qrvr-xc36 / GO-2024-2656
More information
Details
Impact
In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies:
Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below.
Patches
This issue affects:
This issue has been resolved in:
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @jschwinger233, @julianwiedmann, @giorio94, and @jrajahalme for their work in triaging and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at [email protected]. This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Unencrypted traffic between nodes when using WireGuard and L7 policies
BIT-cilium-2024-28250 / BIT-cilium-operator-2024-28250 / BIT-cilium-proxy-2024-28250 / BIT-hubble-2024-28250 / BIT-hubble-relay-2024-28250 / BIT-hubble-ui-2024-28250 / BIT-hubble-ui-backend-2024-28250 / CVE-2024-28250 / GHSA-v6q2-4qr3-5cw6 / GO-2024-2657
More information
Details
Impact
In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:
Patches
This issue affects:
routingMode=native
):routingMode=tunnel
):encryption.wireguard.encapsulate
is set tofalse
(default).This issue has been resolved in:
routingMode=native
):routingMode=tunnel
):encryption.wireguard.encapsulate
must be set totrue
.Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @brb, @giorio94, @gandro and @jschwinger233 for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [email protected]. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Intermittent HTTP policy bypass
BIT-cilium-2024-28248 / BIT-cilium-operator-2024-28248 / BIT-cilium-proxy-2024-28248 / BIT-hubble-2024-28248 / BIT-hubble-relay-2024-28248 / BIT-hubble-ui-2024-28248 / BIT-hubble-ui-backend-2024-28248 / CVE-2024-28248 / GHSA-68mj-9pjq-mc85 / GO-2024-2653
More information
Details
Impact
Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.
Patches
This issue affects:
This issue has been patched in:
Workarounds
There is no workaround for this issue – affected users are strongly encouraged to upgrade.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @romikps for discovering and reporting this issue, and @sayboras and @jrajahalme for preparing the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium
BIT-cilium-2024-28249 / BIT-cilium-operator-2024-28249 / BIT-cilium-proxy-2024-28249 / BIT-hubble-2024-28249 / BIT-hubble-relay-2024-28249 / BIT-hubble-ui-2024-28249 / BIT-hubble-ui-backend-2024-28249 / CGA-357h-gw82-jhpp / CVE-2024-28249 / GHSA-j89h-qrvr-xc36 / GO-2024-2656
More information
Details
In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Unencrypted traffic between nodes with WireGuard in github.com/cilium/cilium
BIT-cilium-2024-28250 / BIT-cilium-operator-2024-28250 / BIT-cilium-proxy-2024-28250 / BIT-hubble-2024-28250 / BIT-hubble-relay-2024-28250 / BIT-hubble-ui-2024-28250 / BIT-hubble-ui-backend-2024-28250 / CVE-2024-28250 / GHSA-v6q2-4qr3-5cw6 / GO-2024-2657
More information
Details
In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Insecure IPsec transparent encryption in github.com/cilium/cilium
BIT-cilium-2024-28860 / BIT-cilium-operator-2024-28860 / BIT-cilium-proxy-2024-28860 / BIT-hubble-2024-28860 / BIT-hubble-relay-2024-28860 / BIT-hubble-ui-2024-28860 / BIT-hubble-ui-backend-2024-28860 / CVE-2024-28860 / GHSA-pwqm-x5x6-5586 / GO-2024-2666
More information
Details
Insecure IPsec transparent encryption in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Cilium has insecure IPsec transport encryption
BIT-cilium-2024-28860 / BIT-cilium-operator-2024-28860 / BIT-cilium-proxy-2024-28860 / BIT-hubble-2024-28860 / BIT-hubble-relay-2024-28860 / BIT-hubble-ui-2024-28860 / BIT-hubble-ui-backend-2024-28860 / CVE-2024-28860 / GHSA-pwqm-x5x6-5586 / GO-2024-2666
More information
Details
Impact
Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective.
In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker:
These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks.
Important: After upgrading, users must perform a key rotation using the instructions here to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign.
Patches
All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue.
Patched versions:
Workarounds
There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade.
Acknowledgements
The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @NikAleksandrov and @pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: [email protected] - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.
Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Cilium leaks sensitive information in cilium-bugtool
BIT-cilium-2024-37307 / BIT-cilium-operator-2024-37307 / BIT-cilium-proxy-2024-37307 / BIT-hubble-2024-37307 / BIT-hubble-relay-2024-37307 / BIT-hubble-ui-2024-37307 / BIT-hubble-ui-backend-2024-37307 / CVE-2024-37307 / GHSA-wh78-7948-358j / GO-2024-2922
More information
Details
Impact
The output of
cilium-bugtool
can contain sensitive data when the tool is run (with the--envoy-dump
flag set) against Cilium deployments with the Envoy proxy enabled.Users of the following features are affected:
The sensitive data includes:
cilium-bugtool
is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.Patches
This issue affects:
This issue has been patched in:
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @sayboras for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium
BIT-cilium-2024-37307 / BIT-cilium-operator-2024-37307 / BIT-cilium-proxy-2024-37307 / BIT-hubble-2024-37307 / BIT-hubble-relay-2024-37307 / BIT-hubble-ui-2024-37307 / BIT-hubble-ui-backend-2024-37307 / CVE-2024-37307 / GHSA-wh78-7948-358j / GO-2024-2922
More information
Details
Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Gateway API route matching order contradicts specification
BIT-cilium-2024-42487 / BIT-cilium-operator-2024-42487 / BIT-hubble-relay-2024-42487 / CVE-2024-42487 / GHSA-qcm3-7879-xcww / GO-2024-3071
More information
Details
Impact
Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).
If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.
Patches
This issue was fixed in https://github.com/cilium/cilium/pull/34109.
This issue affects:
This issue is fixed in:
Workarounds
There is no workaround for this issue.
Acknowledgements
The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.
Further information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Gateway API route matching order contradicts specification in github.com/cilium/cilium
BIT-cilium-2024-42487 / BIT-cilium-operator-2024-42487 / BIT-hubble-relay-2024-42487 / CVE-2024-42487 / GHSA-qcm3-7879-xcww / GO-2024-3071
More information
Details
Gateway API route matching order contradicts specification in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium
BIT-cilium-2024-42486 / BIT-cilium-operator-2024-42486 / BIT-hubble-relay-2024-42486 / CVE-2024-42486 / GHSA-vwf8-q6fw-4wcm / GO-2024-3074
More information
Details
Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API
BIT-cilium-2024-42486 / BIT-cilium-operator-2024-42486 / BIT-hubble-relay-2024-42486 / CVE-2024-42486 / GHSA-vwf8-q6fw-4wcm / GO-2024-3074
More information
Details
Impact
Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.
Patches
This issue was resolved in https://github.com/cilium/cilium/pull/34032.
This issue affects:
This issue has been patched in:
Workarounds
Any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.
Acknowledgements
The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium
BIT-cilium-2024-42488 / BIT-cilium-operator-2024-42488 / BIT-hubble-relay-2024-42488 / CVE-2024-42488 / GHSA-q7w8-72mr-vpgw / GO-2024-3072
More information
Details
Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Policy bypass for Host Firewall policy due to race condition in Cilium agent
BIT-cilium-2024-42488 / BIT-cilium-operator-2024-42488 / BIT-hubble-relay-2024-42488 / CVE-2024-42488 / GHSA-q7w8-72mr-vpgw / GO-2024-3072
More information
Details
Impact
A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.
Patches
This issue was fixed in https://github.com/cilium/cilium/pull/33511.
This issue affects:
This issue has been patched in:
Workarounds
As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.
Acknowledgements
The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present
BIT-cilium-2024-47825 / BIT-cilium-operator-2024-47825 / BIT-hubble-relay-2024-47825 / CVE-2024-47825 / GHSA-3wwx-63fv-pfq6 / GO-2024-3208
More information
Details
Impact
A policy rule denying a prefix that is broader than /32 may be ignored if there is
CIDRSet
ortoFQDN
) andenableDefaultDeny: false
or- toEntities: all
Note that a rule specifying
toEntities: world
ortoEntities: 0.0.0.0/0
is insufficient, it must be to entityall
.As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:
Patches
This issue affects:
This issue has been patched in:
Workarounds
Users with policies using
enableDefaultDeny: false
can work around this issue by removing this configuration option and explicitly defining any allow rules required.No workaround is available to users with egress policies that explicitly specify
toEntities: all
.Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @squeed, @christarazi, and @jrajahalme for their work in triaging and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium
BIT-cilium-2024-47825 / BIT-cilium-operator-2024-47825 / BIT-hubble-relay-2024-47825 / CVE-2024-47825 / GHSA-3wwx-63fv-pfq6 / GO-2024-3208
More information
Details
Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
DoS in Cilium agent DNS proxy from crafted DNS responses
BIT-cilium-2025-23028 / BIT-cilium-operator-2025-23028 / BIT-hubble-relay-2025-23028 / CVE-2025-23028 / GHSA-9m5p-c77c-f9j7 / GO-2025-3415
More information
Details
Impact
In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster.
For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to restart.
Patches
This issue affects:
This issue is fixed in:
Workarounds
There are no known workarounds to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare these mitigations. Special thanks to @kokelley-cisco for reporting this issue and @bimmlerd for the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium
BIT-cilium-2025-23028 / BIT-cilium-operator-2025-23028 / BIT-hubble-relay-2025-23028 / CVE-2025-23028 / GHSA-9m5p-c77c-f9j7 / GO-2025-3415
More information
Details
DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium
BIT-cilium-2025-23047 / BIT-cilium-operator-2025-23047 / BIT-hubble-relay-2025-23047 / CVE-2025-23047 / GHSA-h78m-j95m-5356 / GO-2025-3416
More information
Details
Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Cilium has an information leakage via insecure default Hubble UI CORS header
BIT-cilium-2025-23047 / BIT-cilium-operator-2025-23047 / BIT-hubble-relay-2025-23047 / CVE-2025-23047 / GHSA-h78m-j95m-5356 / GO-2025-3416
More information
Details
Impact
For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default
Access-Control-Allow-Origin
header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page.Patches
This issue was patched in cilium/cilium@a3489f1
This issue affects:
This issue is patched in:
Workarounds
Users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @ciffelia for reporting this issue and to @geakstr for the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
cilium/cilium (github.com/cilium/cilium)
v1.15.13
: 1.15.13Compare Source
Summary of Changes
Major Changes:
Minor Changes:
Bugfixes:
CI Changes:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.