Affected by GO-2022-0393
and 17 other vulnerabilities
GO-2022-0393: Network policy may be bypassed by some ICMP Echo Requests in github.com/cilium/cilium
GO-2022-0457: Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium
GO-2022-0458: Improper Privilege Management in Cilium in github.com/cilium/cilium
GO-2022-0959: Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium
GO-2023-1643: Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium
GO-2023-1730: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium
GO-2023-1785: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium
GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium
GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium
GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium
GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium
GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium
GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium
GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium
GO-2026-4856: Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium
GO-2026-5400: Cillium exposes sensitive information included in the cilium-bugtool debug archive in github.com/cilium/cilium
GO-2026-5905: Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access in github.com/cilium/cilium
GO-2026-5914: CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation in github.com/cilium/cilium
ExtractNamespace extracts the namespace of ObjectMeta.
For cluster scoped objects the Namespace field is empty and this function
assumes that the object is returned from kubernetes itself implying that
the namespace is empty only and only when the Object is cluster scoped
and thus returns empty namespace for such objects.
GetObjNamespaceName returns the object's namespace and name.
If the object is cluster scoped then the function returns only the object name
without any namespace prefix.
GetServiceListOptionsModifier returns the options modifier for service object list.
This methods returns a ListOptions modifier which adds a label selector to only
select services that are in context of Cilium.
Like kube-proxy Cilium does not select services containing k8s headless service label.
We honor service.kubernetes.io/service-proxy-name label in the service object and only
handle services that match our service proxy name. If the service proxy name for Cilium
is an empty string, we assume that Cilium is the default service handler in which case
we select all services that don't have the above mentioned label.