CVE-2023-28114 (GCVE-0-2023-28114)
Vulnerability from cvelistv5
Published
2023-03-22 18:30
Modified
2025-02-25 14:51
Severity ?
4.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CWE
  • CWE-280 - Improper Handling of Insufficient Permissions or Privileges
  • CWE-755 - Improper Handling of Exceptional Conditions
Summary
`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. This issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium's Helm charts to create their cluster.
References
Impacted products
Vendor Product Version
cilium cilium-cli Version: < 0.13.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:30:24.278Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc"
          },
          {
            "name": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610"
          },
          {
            "name": "https://artifacthub.io/packages/helm/cilium/cilium",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://artifacthub.io/packages/helm/cilium/cilium"
          },
          {
            "name": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28114",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:28:23.436155Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:51:44.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cilium-cli",
          "vendor": "cilium",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.13.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue.\n\nDue to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster.\n\nThis issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium\u0027s Helm charts to create their cluster."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-280",
              "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-22T18:30:16.774Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc"
        },
        {
          "name": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610"
        },
        {
          "name": "https://artifacthub.io/packages/helm/cilium/cilium",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://artifacthub.io/packages/helm/cilium/cilium"
        },
        {
          "name": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2"
        }
      ],
      "source": {
        "advisory": "GHSA-6f27-3p6c-p5jc",
        "discovery": "UNKNOWN"
      },
      "title": "`cilium-cli` disables etcd authorization for clustermesh clusters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28114",
    "datePublished": "2023-03-22T18:30:16.774Z",
    "dateReserved": "2023-03-10T18:34:29.227Z",
    "dateUpdated": "2025-02-25T14:51:44.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc\", \"name\": \"https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610\", \"name\": \"https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://artifacthub.io/packages/helm/cilium/cilium\", \"name\": \"https://artifacthub.io/packages/helm/cilium/cilium\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/cilium/cilium-cli/releases/tag/v0.13.2\", \"name\": \"https://github.com/cilium/cilium-cli/releases/tag/v0.13.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:30:24.278Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28114\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:28:23.436155Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T14:28:25.260Z\"}}], \"cna\": {\"title\": \"`cilium-cli` disables etcd authorization for clustermesh clusters\", \"source\": {\"advisory\": \"GHSA-6f27-3p6c-p5jc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"cilium\", \"product\": \"cilium-cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.13.2\"}]}], \"references\": [{\"url\": \"https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc\", \"name\": \"https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610\", \"name\": \"https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://artifacthub.io/packages/helm/cilium/cilium\", \"name\": \"https://artifacthub.io/packages/helm/cilium/cilium\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/cilium/cilium-cli/releases/tag/v0.13.2\", \"name\": \"https://github.com/cilium/cilium-cli/releases/tag/v0.13.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue.\\n\\nDue to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster.\\n\\nThis issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium\u0027s Helm charts to create their cluster.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-280\", \"description\": \"CWE-280: Improper Handling of Insufficient Permissions or Privileges \"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-755\", \"description\": \"CWE-755: Improper Handling of Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-03-22T18:30:16.774Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-28114\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T14:51:44.533Z\", \"dateReserved\": \"2023-03-10T18:34:29.227Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-03-22T18:30:16.774Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.