GHSA-g8fc-vrcg-8vjg: Constallation has pods exposed to peers in VPC

April 15, 2024

Cilium allows outside actors (world entity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. via LoadBalancer). A pod that does not authenticate clients and that does not exclude world traffic via network policy may leak sensitive data to an attacker inside the cloud VPC.

References

github.com/advisories/GHSA-g8fc-vrcg-8vjg
github.com/cilium/cilium/issues/25626
github.com/edgelesssys/constellation
github.com/edgelesssys/constellation/security/advisories/GHSA-g8fc-vrcg-8vjg

Detect and mitigate GHSA-g8fc-vrcg-8vjg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →