CVE-2024-42487 MEDIUM

CVE-2024-42487: Cilium's Gateway API route matching order contradicts specification

Vendor Cilium
Product cilium
Weakness CWE-113 · HTTP response splitting
Published August 15, 2024
Last update August 15, 2024

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue.

Key dates

02Disclosure timeline

August 15, 2024 CVE published
August 15, 2024 Record updated

Related vulnerabilities

04Related CVE