CVE-2024-42487

Опубликовано: 15 авг. 2024

Источник: nvd

CVSS3: 4

CVSS3: 4.3

EPSS Низкий

Описание

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue.

Ссылки

https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a
Patch
Third Party Advisory
https://github.com/cilium/cilium/pull/34109
Patch
Third Party Advisory
https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*

Версия от 1.15.0 (включая) до 1.15.8 (исключая)

cpe:2.3:a:cilium:cilium:1.16.0:*:*:*:*:*:*:*

EPSS

Процентиль: 82%

0.01788

Низкий

4 Medium

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-113

CWE-436

Связанные уязвимости

CVE-2024-42487

CVSS3: 4

debian

больше 1 года назад

Cilium is a networking, observability, and security solution with an e ...

GHSA-qcm3-7879-xcww

CVSS3: 4

github

больше 1 года назад

Gateway API route matching order contradicts specification

EPSS

Процентиль: 82%

0.01788

Низкий

4 Medium

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-113

CWE-436