CVE-2024-42486: Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API
Due to ReferenceGrant changes not being immediately propagated in Cilium’s GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.
References
- github.com/advisories/GHSA-vwf8-q6fw-4wcm
- github.com/cilium/cilium
- github.com/cilium/cilium/commit/414a96b53d51ef6e6645c44426e26bc8e7c7c059
- github.com/cilium/cilium/commit/92c110e58a7be6586819dd51fb0f6ee1ec4be8f8
- github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053
- github.com/cilium/cilium/pull/34032
- github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm
- nvd.nist.gov/vuln/detail/CVE-2024-42486
Code Behaviors & Features
Detect and mitigate CVE-2024-42486 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →