CVE-2023-30851: Potential HTTP policy bypass when using header rules in Cilium
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29165%
CWE
Published
5/22/2023
Updated
11/7/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/cilium/cilium | go | < 1.11.16 | 1.11.16 |
| github.com/cilium/cilium | go | >= 1.12.0, < 1.12.9 | 1.12.9 |
| github.com/cilium/cilium | go | >= 1.13.0, < 1.13.2 | 1.13.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper merging of HTTP rules when multiple toEndpoints are specified. The workaround requires separating rules per endpoint, indicating the core issue was in rule aggregation logic. The patched versions fix 'incorrect merging of L7 rules' (per release notes), and the CWE-693 (Protection Mechanism Failure) aligns with flawed policy enforcement. The most logical location for this logic is in HTTP rule merging functions within the policy API layer.