CVE-2023-30851 LOW

CVE-2023-30851: Potential HTTP policy bypass when using header rules in Cilium

Vendor Cilium
Product cilium
Weakness CWE-693
Published May 25, 2023
Last update January 16, 2025

CVSS base score

2.6/10
Attack vector Adjacent
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. This issue only impacts users who have a HTTP policy that applies to multiple `toEndpoints` AND have an allow-all rule in place that affects only one of those endpoints. In such cases, a wildcard rule will be appended to the set of HTTP rules, which could cause bypass of HTTP policies. This issue has been patched in Cilium 1.11.16, 1.12.9, and 1.13.2.

Key dates

02Disclosure timeline

May 25, 2023 CVE published
January 16, 2025 Record updated