Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29178 #457

Closed
GoVulnBot opened this issue May 20, 2022 · 3 comments
Closed
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2022-29178 references github.com/cilium/cilium, which may be a Go module.

Description:
Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium's DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability.

Links:

See doc/triage.md for instructions on how to triage this report.

module: github.com/cilium/cilium
package: cilium
description: |
    Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium's DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability.
cves:
  - CVE-2022-29178
links:
    context:
      - https://github.com/cilium/cilium/releases/tag/v1.10.11
      - https://github.com/cilium/cilium/releases/tag/v1.11.5
      - https://github.com/cilium/cilium/releases/tag/v1.9.16
      - https://github.com/cilium/cilium/security/advisories/GHSA-6p8v-8cq8-v2r3

@neild
Copy link
Contributor

neild commented Jun 14, 2022

Vulnerability in tool.

@neild neild closed this as completed Jun 14, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 10, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592768 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607219 mentions this issue: data/reports: unexclude 20 reports (17)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-0457.yaml
  - data/reports/GO-2022-0458.yaml
  - data/reports/GO-2022-0459.yaml
  - data/reports/GO-2022-0471.yaml
  - data/reports/GO-2022-0473.yaml
  - data/reports/GO-2022-0480.yaml
  - data/reports/GO-2022-0482.yaml
  - data/reports/GO-2022-0483.yaml
  - data/reports/GO-2022-0490.yaml
  - data/reports/GO-2022-0491.yaml
  - data/reports/GO-2022-0494.yaml
  - data/reports/GO-2022-0495.yaml
  - data/reports/GO-2022-0496.yaml
  - data/reports/GO-2022-0497.yaml
  - data/reports/GO-2022-0498.yaml
  - data/reports/GO-2022-0499.yaml
  - data/reports/GO-2022-0500.yaml
  - data/reports/GO-2022-0501.yaml
  - data/reports/GO-2022-0502.yaml
  - data/reports/GO-2022-0505.yaml

Updates #457
Updates #458
Updates #459
Updates #471
Updates #473
Updates #480
Updates #482
Updates #483
Updates #490
Updates #491
Updates #494
Updates #495
Updates #496
Updates #497
Updates #498
Updates #499
Updates #500
Updates #501
Updates #502
Updates #505

Change-Id: I92c5f4afd83bb1c6bd9f448bc65ca730c64ce770
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607219
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants