CVE-2024-42487

MEDIUM

Cilium <1.15.8-1.16.1 - Info Disclosure

Title source: llm

Description

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue.

References (3)

[Vendor Advisory] https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww

[Patch, Third Party Advisory] https://github.com/cilium/cilium/pull/34109

[Patch, Third Party Advisory] https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a

View Patch ZIP pw:eip

Scores

CVSS v3 4.0

EPSS 0.0180

EPSS Percentile 82.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-113 CWE-436

Status published

Products (3)

cilium/cilium 1.16.0

cilium/cilium 1.15.0 - 1.15.8

cilium/cilium 1.16.0 - 1.16.1Go

Published Aug 15, 2024

Tracked Since Feb 18, 2026