logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-28114 github.com/cilium/cilium-cli

Package

Manager: go
Name: github.com/cilium/cilium-cli
Vulnerable Version: >=0 <0.13.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00032 pctl0.07444

Details

`cilium-cli` disables etcd authorization for clustermesh clusters ### Impact `cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. ### Patches This issue is patched in `cilium-cli` 0.13.2 All previous versions of `cilium-cli` are affected. Users who have set up cluster meshes using the Cilium Helm chart are not affected. ### Workarounds Use Cilium's [Helm charts](https://artifacthub.io/packages/helm/cilium/cilium) to create your cluster instead. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to Marco Iorio for investigating and fixing the issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: [security@cilium.io](mailto:security@cilium.io) - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

Metadata

Created: 2023-03-21T22:30:43Z
Modified: 2023-03-22T21:49:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-6f27-3p6c-p5jc/GHSA-6f27-3p6c-p5jc.json
CWE IDs: ["CWE-280"]
Alternative ID: GHSA-6f27-3p6c-p5jc
Finding: F159
Auto approve: 1