Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-42487

Good to know:

icon

Date: August 15, 2024

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue.

Language: Go

Severity Score

Related Resources (8)

https://github.com/cilium/cilium/pull/34109
https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww
https://github.com/cilium/cilium/commit/fe42273566a943a0f3174c87b23a195c856b51d6
https://github.com/cilium/cilium
https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a
https://github.com/cilium/cilium/commit/d88772b9c29e370becbc4547cada6711d51edcde
https://nvd.nist.gov/vuln/detail/CVE-2024-42487
https://www.mend.io/vulnerability-database/CVE-2024-42487

Severity Score

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Interpretation Conflict

CWE-436

Top Fix

icon

Upgrade Version

Upgrade to version github.com/cilium/cilium-v1.15.8,v1.16.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us