SCA: security update for github.com/cilium/cilium (GHSA-4xp2-w642-7mcx)

high Tenable Self-Hosted Container Security Plugin ID 410485

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker
with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to
affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces.
By using a crafted `endpointSelector` that uses the `DoesNotExist` operator on the `reserved:init` label,
the attacker can create policies that bypass namespace restrictions and affect the entire Cilium cluster.
This includes potentially allowing or denying all traffic. This attack requires API server access, as
described in the Kubernetes API Server Attacker section of the Cilium Threat Model. This issue has been
resolved in Cilium versions 1.14.2, 1.13.7, and 1.12.14. As a workaround an admission webhook can be used
to prevent the use of `endpointSelectors` that use the `DoesNotExist` operator on the `reserved:init`
label in CiliumNetworkPolicies. (CVE-2023-41333)

See Also

https://github.com/advisories/GHSA-4xp2-w642-7mcx

Plugin Details

Severity: High

ID: 410485

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.36

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.7

Temporal Score: 5

Vector: CVSS2#AV:A/AC:L/Au:M/C:N/I:C/A:C

CVSS Score Source: CVE-2023-41333

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/27/2023

Vulnerability Publication Date: 9/26/2023

Reference Information

CVE: CVE-2023-41333

cwe: CWE-306