{
  "schema_version": "1.4.0",
  "id": "GHSA-x989-52fc-4vr4",
  "modified": "2024-12-18T19:19:52Z",
  "published": "2024-02-20T23:45:16Z",
  "aliases": [
    "CVE-2024-25631"
  ],
  "summary": "Unencrypted traffic between pods when using Wireguard and an external kvstore",
  "details": "### Impact\n\nFor Cilium users who have enabled [an external kvstore](https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore) and [Wireguard transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg), traffic between pods in the affected cluster is not encrypted.\n\n### Patches\n\nThis issue affects Cilium v1.14 before v1.14.7.\n\nThis issue has been patched in Cilium v1.14.7.\n\n### Workarounds\n\nThere is no workaround to this issue - affected users are encouraged to upgrade.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @giorio94 and @gandro for their work on triaging and remediating this issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.7"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25631"
    },
    {
      "type": "WEB",
      "url": "https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore"
    },
    {
      "type": "WEB",
      "url": "https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cilium/cilium"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/releases/tag/v1.14.7"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-319"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T23:45:16Z",
    "nvd_published_at": "2024-02-20T18:15:53Z"
  }
}