CVE-2023-34242 LOW

CVE-2023-34242: Cilium vulnerable to information leakage via incorrect ReferenceGrant handling

Vendor Cilium

Product cilium

Weakness CWE-200 · Info exposure

Published June 15, 2023

Last update December 11, 2024

View on NVD All CVEs

CVSS base score

3.4/10

Attack vector Adjacent

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can leverage this issue to use cluster secrets that should not be visible to them, or communicate with services that they should not have access to. Gateway API functionality is disabled by default. This vulnerability is fixed in Cilium release 1.13.4. As a workaround, restrict the creation of `ReferenceGrant` resources to admin users by using Kubernetes RBAC.

Key dates

02Disclosure timeline

June 15, 2023 CVE published

December 11, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-34242

Related vulnerabilities

CVE-2023-34242: Cilium vulnerable to information leakage via incorrect ReferenceGrant handling

01Description

02Disclosure timeline

03References

04Related CVE