Skip to main content

Missing Encryption of Sensitive Data

CVE-2024-28250

Severity Medium
Score 6.1/10

Summary

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions 1.14.0-pre.2 through 1.14.7, 1.15.0-pre.0 through 1.15.1, and 1.16.0-pre.0 In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium native routing mode ("routingMode=native") and Cilium tunneling mode ("routingMode=tunnel"). Not that in tunneling mode, "encryption.wireguard.encapsulate" must be set to "true". There is no known workaround for this issue.

  • HIGH
  • ADJACENT_NETWORK
  • NONE
  • CHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-311 - Missing Encryption of Sensitive Data

The software does not encrypt sensitive or critical information before storage or transmission.

Advisory Timeline

  • Published