SCA: security update for github.com/cilium/cilium (GHSA-9m5p-c77c-f9j7)

medium Tenable Self-Hosted Container Security Plugin ID 414276

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of
service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through
1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash
Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is
allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at
the time of the DoS. For workloads that have DNS-based policy configured, existing connections may
continue to operate, and new connections made without relying on DNS resolution may continue to be
established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes
that affect the impacted agent may not be applied until the agent is able to restart. This issue is fixed
in Cilium v1.14.18, v1.15.12, and v1.16.5. No known workarounds are available. (CVE-2025-23028)

See Also

https://github.com/advisories/GHSA-9m5p-c77c-f9j7

Plugin Details

Severity: Medium

ID: 414276

Version: Revision 1.19

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-23028

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/22/2025

Vulnerability Publication Date: 1/22/2025

Reference Information

CVE: CVE-2025-23028

cwe: CWE-770