Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/cilium/cilium
  4. ›
  5. GMS-2022-2927

GMS-2022-2927: Cilium host policy bypass in endpoint-routes mode with dual-stack

July 15, 2022 (updated July 20, 2022)

This vulnerability allows bypassing host policies for IPv6 traffic coming from a Cilium-managed pod and destined to the host-network namespace (e.g., to a host-network pod). Host policy enforcement on IPv4 or for traffic coming from outside the node is not affected. Cilium is only affected by this vulnerability if IPv4, IPv6, endpoint routes, and the host firewall are enabled. Note that endpoint routes are typically only enabled in GKE, EKS, AKS, and OpenShift; in those environments, IPv6 is typically disabled. Host firewall is disabled by default.

References

  • github.com/advisories/GHSA-wc5v-r48v-g4vh
  • github.com/cilium/cilium/commit/c758da7e9d19cd19b96dc90424c0b5ec7409cd0a
  • github.com/cilium/cilium/security/advisories/GHSA-wc5v-r48v-g4vh

Code Behaviors & Features

Detect and mitigate GMS-2022-2927 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.10.13, all versions starting from 1.11.0 before 1.11.7

Fixed versions

  • 1.10.13
  • 1.11.7

Solution

Upgrade to versions 1.10.13, 1.11.7 or above.

Source file

go/github.com/cilium/cilium/GMS-2022-2927.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:07 +0000.