CVE-2024-25630 MEDIUM

CVE-2024-25630: Cilium has unencrypted ingress/health traffic when using Wireguard transparent encryption

Vendor Cilium
Product cilium
Weakness CWE-311 · Missing encryption
Published February 20, 2024
Last update August 1, 2024

CVSS base score

6.1/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.

Key dates

02Disclosure timeline

February 20, 2024 CVE published
August 1, 2024 Record updated