We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-47825

CIDR deny policies may not take effect when a more narrow CIDR allow is present



AssignerGitHub_M
Reserved2024-10-03
Published2024-10-21
Updated2024-10-21

Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) and this narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`. Note that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it must be to entity `all`.This issue has been patched in Cilium v1.14.16 and v1.15.10. As this issue only affects policies using `enableDefaultDeny: false` or that set `toEntities` to `all`, some workarounds are available. For users with policies using `enableDefaultDeny: false`, remove this configuration option and explicitly define any allow rules required. For users with egress policies that explicitly specify `toEntities: all`, use `toEntities: world`.



MEDIUM: 4.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Product status

>= 1.15.0, < 1.15.10
affected

>= 1.14.0, < 1.14.16
affected

References

https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6

cve.org CVE-2024-47825

nvd.nist.gov CVE-2024-47825

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.