Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/cilium/cilium
  4. ›
  5. CVE-2024-52529

CVE-2024-52529: Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges

November 25, 2024 (updated December 4, 2024)

For users with the following configuration:

  • An allow policy that selects a Layer 3 identity and a port range AND
  • A Layer 7 allow policy that selects a specific port within the first policy’s range

then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.

This issue only affects users who use Cilium’s port range functionality, which was introduced in Cilium v1.16.

For reference, an example of a pair of policies that would trigger this issue is:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "layer-3-and-4"
spec:
endpointSelector:
matchLabels:
app: service
ingress:
- fromCIDR:
- 192.168.60.0/24
toPorts:
- ports:
- port: "80"
endPort: 444
protocol: TCP

and

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "layer-4-and-7"
spec:
endpointSelector:
matchLabels:
app: service
ingress:
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "GET"
path: "/public"

In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended by the layer-4-and-7 policy. In patched versions of Cilium, the layer-4-and-7 rule would take precedence over the layer-3-and-4 rule.

References

  • github.com/advisories/GHSA-xg58-75qf-9r67
  • github.com/cilium/cilium
  • github.com/cilium/cilium/pull/35150
  • github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67
  • nvd.nist.gov/vuln/detail/CVE-2024-52529

Code Behaviors & Features

Detect and mitigate CVE-2024-52529 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.16.0 before 1.16.4

Fixed versions

  • 1.16.4

Solution

Upgrade to version 1.16.4 or above.

Impact 5.8 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-755: Improper Handling of Exceptional Conditions
  • CWE-862: Missing Authorization

Source file

go/github.com/cilium/cilium/CVE-2024-52529.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:01 +0000.