x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-29002 #1730
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
neild
added
the
excluded: EFFECTIVELY_PRIVATE
|
Change https://go.dev/cl/503837 mentions this issue: |
This was referenced Sep 26, 2023
This was referenced Feb 20, 2024
This was referenced Mar 18, 2024
|
Change https://go.dev/cl/592760 mentions this issue: |
This was referenced Aug 15, 2024
|
Change https://go.dev/cl/606785 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 20, 2024
- data/reports/GO-2023-1700.yaml - data/reports/GO-2023-1701.yaml - data/reports/GO-2023-1707.yaml - data/reports/GO-2023-1708.yaml - data/reports/GO-2023-1716.yaml - data/reports/GO-2023-1718.yaml - data/reports/GO-2023-1719.yaml - data/reports/GO-2023-1721.yaml - data/reports/GO-2023-1723.yaml - data/reports/GO-2023-1730.yaml - data/reports/GO-2023-1735.yaml - data/reports/GO-2023-1738.yaml - data/reports/GO-2023-1747.yaml - data/reports/GO-2023-1754.yaml - data/reports/GO-2023-1758.yaml - data/reports/GO-2023-1761.yaml - data/reports/GO-2023-1763.yaml - data/reports/GO-2023-1764.yaml - data/reports/GO-2023-1768.yaml - data/reports/GO-2023-1774.yaml Updates #1700 Updates #1701 Updates #1707 Updates #1708 Updates #1716 Updates #1718 Updates #1719 Updates #1721 Updates #1723 Updates #1730 Updates #1735 Updates #1738 Updates #1747 Updates #1754 Updates #1758 Updates #1761 Updates #1763 Updates #1764 Updates #1768 Updates #1774 Change-Id: I3fc567427d68e095cc62ea48dc9b284b2414a372 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606785 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
Change https://go.dev/cl/607456 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
Fix reports which won't pass an upcoming lint check by merging / collapsing their version ranges. - data/reports/GO-2022-0617.yaml - data/reports/GO-2023-1573.yaml - data/reports/GO-2023-1574.yaml - data/reports/GO-2023-1730.yaml - data/reports/GO-2023-1946.yaml - data/reports/GO-2024-2784.yaml Updates #617 Updates #1573 Updates #1574 Updates #1730 Updates #1946 Updates #2784 Change-Id: If02308deccab77b00cf10cb3619263e456d1ea64 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607456 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
CVE-2023-29002 references github.com/cilium/cilium, which may be a Go module.
Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the
cilium-secretsnamespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. Output of the sensitive information would occur at Cilium agent restart, when secrets in the namespace are modified, and on creation of Ingress or GatewayAPI resources. This vulnerability is fixed in Cilium releases 1.11.16, 1.12.9, and 1.13.2. Users unable to upgrade should disable debug mode.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: