x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-8fg8-jh2h-f2hc

[GoVulnBot]

In GitHub Security Advisory GHSA-8fg8-jh2h-f2hc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cilium/cilium	1.13.1	>= 1.13.0, < 1.13.1

Cross references:

• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97 #393 EFFECTIVELY_PRIVATE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29178 #457 EFFECTIVELY_PRIVATE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29179 #458 EFFECTIVELY_PRIVATE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-wc5v-r48v-g4vh #530 NOT_GO_CODE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pfhr-pccp-hwmh #959 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.13.0
        fixed: 1.13.1
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.12.0
        fixed: 1.12.8
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - fixed: 1.11.15
    packages:
      - package: github.com/cilium/cilium
summary: 'Potential network policy bypass when routing IPv6 traffic '
description: |-
    ## Impact

    Under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. Only IPv6 traffic is impacted by this vulnerability.

    This issue only manifests when:
    * Cilium is routing IPv6 traffic, and
    * Kube-proxy is used for service handling, and
    * NodePorts are used to route traffic to pods.

    IPv6 is disabled by default. Cilium's kube-proxy replacement feature is not affected by this vulnerability.

    ## Patches

    The problem has been fixed and is available on versions >=1.11.15, >=1.12.8, >=1.13.1

    ## Workarounds

    Disable IPv6 routing (IPv6 is disabled by default).

    ## Acknowledgements

    The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to Yusuke Suzuki for both highlighting and fixing the issue.

    ## For more information

    If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).

    As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.
cves:
  - CVE-2023-27594
ghsas:
  - GHSA-8fg8-jh2h-f2hc
references:
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc
  - advisory: https://github.com/advisories/GHSA-8fg8-jh2h-f2hc

[gopherbot]

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606784 mentions this issue: data/reports: unexclude 20 reports (4)