fkie_cve-2025-30162
Vulnerability from fkie_nvd
Published
2025-03-24 19:15
Modified
2025-03-27 16:45
Severity ?
3.2 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.
References
security-advisories@github.comhttps://docs.cilium.io/en/stable/network/lb-ipam
security-advisories@github.comhttps://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj
security-advisories@github.comhttps://github.com/cilium/proxy/pull/1172
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade."
    },
    {
      "lang": "es",
      "value": "Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. Para los usuarios de Cilium que utilizan la API de Gateway para Ingress en algunos servicios y LB-IPAM o BGP para la implementaci\u00f3n del servicio LB, y que utilizan pol\u00edticas de red para bloquear el tr\u00e1fico de salida de cargas de trabajo en un espacio de nombres a cargas de trabajo en otros espacios de nombres, se permitir\u00e1 incorrectamente el tr\u00e1fico de salida de cargas de trabajo cubiertas por dichas pol\u00edticas de red a los balanceadores de carga configurados por recursos de \"Gateway\". Los recursos de balanceadores de carga que no se implementan mediante una configuraci\u00f3n de la API de Gateway no se ven afectados por este problema. Este problema afecta a: Cilium v1.15 entre v1.15.0 y v1.15.14 inclusive, v1.16 entre v1.16.0 y v1.16.7 inclusive, y v1.17 entre v1.17.0 y v1.17.1 inclusive. Este problema se ha corregido en Cilium v1.15.15, v1.16.8 y v1.17.2. Se puede utilizar una pol\u00edtica de red Cilium para todo el cl\u00faster para solucionar este problema para los usuarios que no pueden actualizar."
    }
  ],
  "id": "CVE-2025-30162",
  "lastModified": "2025-03-27T16:45:46.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.2,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.4,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-24T19:15:52.767",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://docs.cilium.io/en/stable/network/lb-ipam"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/cilium/proxy/pull/1172"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.