x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-h78m-j95m-5356 #3416

GoVulnBot · 2025-01-22T19:01:28Z

Advisory GHSA-h78m-j95m-5356 references a vulnerability in the following Go modules:

Module
github.com/cilium/cilium

Description:

Impact

For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page.

Patches

This issue wa...

References:

ADVISORY: GHSA-h78m-j95m-5356
ADVISORY: GHSA-h78m-j95m-5356
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-23047
FIX: cilium/cilium@a3489f1

Cross references:

github.com/cilium/cilium appears in 26 other report(s):
- data/excluded/GO-2022-0530.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-wc5v-r48v-g4vh #530) NOT_GO_CODE
- data/excluded/GO-2023-1642.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4hc4-pgfx-3mrx #1642) NOT_GO_CODE
- data/reports/GO-2022-0393.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97 #393)
- data/reports/GO-2022-0457.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29178 #457)
- data/reports/GO-2022-0458.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29179 #458)
- data/reports/GO-2022-0959.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pfhr-pccp-hwmh #959)
- data/reports/GO-2023-1643.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-8fg8-jh2h-f2hc #1643)
- data/reports/GO-2023-1644.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-r5x6-w42p-jhpp #1644)
- data/reports/GO-2023-1730.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-29002 #1730)
- data/reports/GO-2023-1785.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-2h44-x2wx-49f4 #1785)
- data/reports/GO-2023-1862.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-34242 #1862)
- data/reports/GO-2023-2078.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-gj2r-phwg-6rww #2078)
- data/reports/GO-2023-2079.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-24m5-r6hv-ccgp #2079)
- data/reports/GO-2023-2080.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4xp2-w642-7mcx #2080)
- data/reports/GO-2024-2568.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-25630 #2568)
- data/reports/GO-2024-2569.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-25631 #2569)
- data/reports/GO-2024-2653.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-68mj-9pjq-mc85 #2653)
- data/reports/GO-2024-2656.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-j89h-qrvr-xc36 #2656)
- data/reports/GO-2024-2657.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-v6q2-4qr3-5cw6 #2657)
- data/reports/GO-2024-2666.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pwqm-x5x6-5586 #2666)
- data/reports/GO-2024-2922.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922)
- data/reports/GO-2024-3071.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42487 #3071)
- data/reports/GO-2024-3072.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42488 #3072)
- data/reports/GO-2024-3074.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074)
- data/reports/GO-2024-3208.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-3wwx-63fv-pfq6 #3208)
- data/reports/GO-2024-3290.yaml (x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-52529 #3290)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cilium/cilium
      versions:
        - introduced: 1.14.0
        - fixed: 1.14.19
        - introduced: 1.15.0
        - fixed: 1.15.13
        - introduced: 1.16.0
        - fixed: 1.16.6
      vulnerable_at: 1.16.5
summary: Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium
cves:
    - CVE-2025-23047
ghsas:
    - GHSA-h78m-j95m-5356
references:
    - advisory: https://github.com/advisories/GHSA-h78m-j95m-5356
    - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-h78m-j95m-5356
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-23047
    - fix: https://github.com/cilium/cilium/commit/a3489f190ba6e87b5336ee685fb6c80b1270d06d
source:
    id: GHSA-h78m-j95m-5356
    created: 2025-01-22T19:01:27.975966402Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-01-27T14:17:17Z

Change https://go.dev/cl/643498 mentions this issue: data/reports: add 7 unreviewed reports

GoVulnBot added the NeedsTriage label Jan 22, 2025

tatianab added triaged and removed NeedsTriage labels Jan 27, 2025

gopherbot closed this as completed in 744bbfb Jan 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-h78m-j95m-5356 #3416

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-h78m-j95m-5356 #3416

GoVulnBot commented Jan 22, 2025

gopherbot commented Jan 27, 2025

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-h78m-j95m-5356 #3416

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-h78m-j95m-5356 #3416

Comments

GoVulnBot commented Jan 22, 2025

Impact

Patches

gopherbot commented Jan 27, 2025