4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-42487

GHSA ID

GHSA-qcm3-7879-xcww

EPSS Score

0.28533%

CWE

CWE-113

Published

8/15/2024

Updated

9/30/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-42487

CVE-2024-42487: Gateway API route matching order contradicts specification

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects:

Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
Cilium v1.16.0

This issue is fixed in:

Cilium v1.15.8
Cilium v1.16.1

Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

(GitHub Advisory)

4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-42487

GHSA ID

GHSA-qcm3-7879-xcww

EPSS Score

0.28533%

CWE

CWE-113

Published

8/15/2024

Updated

9/30/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cilium/cilium	go	= 1.16.0	1.16.1
github.com/cilium/cilium	go	>= 1.15.0, < 1.15.8	1.15.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the route sorting logic in SortableRoute.Less() which determines match precedence. The commit diff shows the fix added method matching checks (via getMethod) before header matching checks in the sorting algorithm. The original implementation without this method check caused routes with header matches to be prioritized over method matches, violating the spec's requirement that method matching should precede header matching. The test changes in envoy_virtual_host_test.go demonstrate how method-based routes now get higher priority in the sorted order. The function's role in determining routing precedence and the direct modification to insert method checks make it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **t*w*y *PI *TTPRout*s *n* *RP*Rout*s *o not *ollow t** m*t** pr*****n** sp**i*i** in t** **t*w*y *PI sp**i*i**tion. In p*rti*ul*r, r*qu*st *****rs *r* m*t**** ***or* r*qu*st m*t*o*s, w**n t** sp**i*i**tion **s*ri**s t**t t** r*qu*st m*t*

Reasoning

T** vuln*r**ility st*ms *rom t** rout* sortin* lo*i* in Sort**l*Rout*.L*ss() w*i** **t*rmin*s m*t** pr*****n**. T** *ommit *i** s*ows t** *ix ***** m*t*o* m*t**in* ****ks (vi* **tM*t*o*) ***or* *****r m*t**in* ****ks in t** sortin* *l*orit*m. T** ori

4

Basic Information

Concerned about an active attack path?

CVE-2024-42487: Gateway API route matching order contradicts specification

Impact

Patches

Workarounds

Acknowledgements

Further information

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI