x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074

GoVulnBot · 2024-08-16T17:01:41Z

Advisory CVE-2024-42486 references a vulnerability in the following Go modules:

Module
github.com/cilium/cilium

Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway resources being able to access secrets for longer than intended, or to Routes having the ability to forward traffic to backends in other namespaces for longer than intended. This issue has been patched in Cilium v1.15.8 and v1.16.1. As a workaround, any modification of a related Gateway/HTTPRoute/GRPCRout...

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-42486
FIX: cilium/cilium@ed3dfa0
FIX: gateway-api: Enqueue gateway for Reference Grant changes cilium/cilium#34032
WEB: GHSA-vwf8-q6fw-4wcm

Cross references:

github.com/cilium/cilium appears in 21 other report(s):
- data/excluded/GO-2022-0393.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97 #393) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0457.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29178 #457) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0458.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29179 #458) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0530.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-wc5v-r48v-g4vh #530) NOT_GO_CODE
- data/excluded/GO-2022-0959.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pfhr-pccp-hwmh #959) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1642.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4hc4-pgfx-3mrx #1642) NOT_GO_CODE
- data/excluded/GO-2023-1643.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-8fg8-jh2h-f2hc #1643) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1644.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-r5x6-w42p-jhpp #1644) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1730.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-29002 #1730) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1785.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-2h44-x2wx-49f4 #1785) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1862.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-34242 #1862) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2078.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-gj2r-phwg-6rww #2078) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2079.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-24m5-r6hv-ccgp #2079) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2080.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4xp2-w642-7mcx #2080) EFFECTIVELY_PRIVATE
- data/reports/GO-2024-2568.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-25630 #2568)
- data/reports/GO-2024-2569.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-25631 #2569)
- data/reports/GO-2024-2653.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-68mj-9pjq-mc85 #2653)
- data/reports/GO-2024-2656.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-j89h-qrvr-xc36 #2656)
- data/reports/GO-2024-2657.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-v6q2-4qr3-5cw6 #2657)
- data/reports/GO-2024-2666.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pwqm-x5x6-5586 #2666)
- data/reports/GO-2024-2922.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cilium/cilium
      vulnerable_at: 1.16.1
summary: CVE-2024-42486 in github.com/cilium/cilium
cves:
    - CVE-2024-42486
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-42486
    - fix: https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053
    - fix: https://github.com/cilium/cilium/pull/34032
    - web: https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm
source:
    id: CVE-2024-42486
    created: 2024-08-16T17:01:40.722349314Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-08-16T21:28:06Z

Change https://go.dev/cl/606361 mentions this issue: data/reports: add 2 unreviewed reports

tatianab added the triaged label Aug 16, 2024

tatianab self-assigned this Aug 19, 2024

gopherbot closed this as completed in 52066e8 Aug 19, 2024

GoVulnBot mentioned this issue Oct 21, 2024

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-47825 #3209

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074

GoVulnBot commented Aug 16, 2024

gopherbot commented Aug 16, 2024

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074

Comments

GoVulnBot commented Aug 16, 2024

gopherbot commented Aug 16, 2024