x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307

CVE-2024-37307 references [github.com/cilium/cilium](https://github.com/cilium/cilium), which may be a Go module.

Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of `cilium-bugtool` can contain sensitive data when the tool is run (with the `--envoy-dump` flag set) against Cilium deployments with the Envoy proxy enabled. Users of the TLS inspection, Ingress with TLS termination, Gateway API with TLS termination, and Kafka network policies with API key filtering features are affected. The sensitive data includes the CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API and the API keys used in Kafka-related network policy. `cilium-bugtool` is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. This issue has been patched in Cilium v1.15.6, v1.14.12, and v1.13.17. There is no workaround to this issue.

References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-37307
- JSON: https://github.com/CVEProject/cvelist/tree/271475c5fecb1dbaee25950f6507754c970aa410/2024/37xxx/CVE-2024-37307.json
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37307
- fix: https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
- fix: https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
- fix: https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
- fix: https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
- fix: https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
- fix: https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
- web: https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
- Imported by: https://pkg.go.dev/github.com/cilium/cilium?tab=importedby

Cross references:
- Module github.com/cilium/cilium appears in issue #393  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #457  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #458  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #530  NOT_GO_CODE
- Module github.com/cilium/cilium appears in issue #959  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #1642  NOT_GO_CODE
- Module github.com/cilium/cilium appears in issue #1643  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #1644  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #1730  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #1785  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #1862  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #2078  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #2079  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #2080  EFFECTIVELY_PRIVATE
- Module github.com/cilium/cilium appears in issue #2568
- Module github.com/cilium/cilium appears in issue #2569
- Module github.com/cilium/cilium appears in issue #2653
- Module github.com/cilium/cilium appears in issue #2656
- Module github.com/cilium/cilium appears in issue #2657
- Module github.com/cilium/cilium appears in issue #2666


See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/cilium/cilium
      vulnerable_at: 1.15.6
      packages:
        - package: cilium
summary: CVE-2024-37307 in github.com/cilium/cilium
cves:
    - CVE-2024-37307
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37307
    - fix: https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
    - fix: https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
    - fix: https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
    - fix: https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
    - fix: https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
    - fix: https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
    - web: https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
source:
    id: CVE-2024-37307
    created: 2024-06-13T18:01:10.363020353Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions