{
  "schema_version": "1.4.0",
  "id": "GHSA-68mj-9pjq-mc85",
  "modified": "2024-03-19T18:31:29Z",
  "published": "2024-03-18T20:30:22Z",
  "aliases": [
    "CVE-2024-28248"
  ],
  "summary": "Intermittent HTTP policy bypass",
  "details": "### Impact\n\nCilium's [HTTP policies](https://docs.cilium.io/en/stable/security/policy/language/#http) are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.\n\n### Patches\n\nThis issue affects:\n\n* Cilium v1.13 between v1.13.9 and v1.13.12 inclusive\n* Cilium v1.14 between v1.14.0 and v1.14.7 inclusive\n* Cilium v1.15.0 and v1.15.1\n\nThis issue has been patched in:\n\n* Cilium v1.15.2\n* Cilium v1.14.8\n* Cilium v1.13.13\n\n### Workarounds\n\nThere is no workaround for this issue – affected users are strongly encouraged to upgrade.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @romikps for discovering and reporting this issue, and @sayboras and @jrajahalme for preparing the fix.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "1.13.9"
            },
            {
              "fixed": "1.13.13"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.8"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "fixed": "1.15.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28248"
    },
    {
      "type": "WEB",
      "url": "https://docs.cilium.io/en/stable/security/policy/language/#http"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cilium/cilium"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/releases/tag/v1.13.13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/releases/tag/v1.14.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/releases/tag/v1.15.2"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-18T20:30:22Z",
    "nvd_published_at": "2024-03-18T22:15:08Z"
  }
}