CVE-2023-30851 - Vulnerability Details - OpenCVE

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cilium	Cilium

Configuration 1 [-]

OR	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::
	cpe:2.3:a:cilium:cilium::::::::

No data.

References

Link	Providers
https://github.com/cilium/cilium/releases/tag/v1.11.16
https://github.com/cilium/cilium/releases/tag/v1.12.9
https://github.com/cilium/cilium/releases/tag/v1.13.2
https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4

History

Thu, 16 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-25T17:47:51.095Z

Updated: 2025-01-16T19:15:24.959Z

Reserved: 2023-04-18T16:13:15.881Z

Link: CVE-2023-30851

Vulnrichment

Updated: 2024-08-02T14:37:15.467Z

NVD

Status : Modified

Published: 2023-05-25T18:15:10.240

Modified: 2024-11-21T08:00:58.323

Link: CVE-2023-30851

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30851", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-18T16:13:15.881Z", "datePublished": "2023-05-25T17:47:51.095Z", "dateUpdated": "2025-01-16T19:15:24.959Z"}, "containers": {"cna": {"title": "Potential HTTP policy bypass when using header rules in Cilium", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.11.16", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.11.16"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.12.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.12.9"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.2"}], "affected": [{"vendor": "cilium", "product": "cilium", "versions": [{"version": "< 1.11.16", "status": "affected"}, {"version": ">= 1.12.0, < 1.12.9", "status": "affected"}, {"version": ">= 1.13.0, < 1.13.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-25T17:47:51.095Z"}, "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2."}], "source": {"advisory": "GHSA-2h44-x2wx-49f4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.467Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.11.16", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.11.16"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.12.9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.12.9"}, {"name": "https://github.com/cilium/cilium/releases/tag/v1.13.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.2"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-16T19:15:03.306440Z", "id": "CVE-2023-30851", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T19:15:24.959Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4", "name": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.11.16", "name": "https://github.com/cilium/cilium/releases/tag/v1.11.16", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.12.9", "name": "https://github.com/cilium/cilium/releases/tag/v1.12.9", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.13.2", "name": "https://github.com/cilium/cilium/releases/tag/v1.13.2", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.467Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-30851", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-16T19:15:03.306440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T19:15:16.929Z"}}], "cna": {"title": "Potential HTTP policy bypass when using header rules in Cilium", "source": {"advisory": "GHSA-2h44-x2wx-49f4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "cilium", "product": "cilium", "versions": [{"status": "affected", "version": "< 1.11.16"}, {"status": "affected", "version": ">= 1.12.0, < 1.12.9"}, {"status": "affected", "version": ">= 1.13.0, < 1.13.2"}]}], "references": [{"url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4", "name": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.11.16", "name": "https://github.com/cilium/cilium/releases/tag/v1.11.16", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.12.9", "name": "https://github.com/cilium/cilium/releases/tag/v1.12.9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.13.2", "name": "https://github.com/cilium/cilium/releases/tag/v1.13.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-25T17:47:51.095Z"}}}, "cveMetadata": {"cveId": "CVE-2023-30851", "state": "PUBLISHED", "dateUpdated": "2025-01-16T19:15:24.959Z", "dateReserved": "2023-04-18T16:13:15.881Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-25T17:47:51.095Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "matchCriteriaId": "826FEF2C-9172-44D8-AE4C-B656329510F2", "versionEndExcluding": "1.11.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8371AD7-2C69-4584-B0C3-2AB4E632FC37", "versionEndExcluding": "1.12.9", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2A8D7A6-200B-443C-B171-512964293B8D", "versionEndExcluding": "1.13.2", "versionStartIncluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2."}], "id": "CVE-2023-30851", "lastModified": "2024-11-21T08:00:58.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-25T18:15:10.240", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.11.16"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.12.9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.11.16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.12.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/cilium/cilium/releases/tag/v1.13.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/cilium/cilium/security/advisories/GHSA-2h44-x2wx-49f4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}