data/reports: add GO-2024-2653.yaml
Aliases: CVE-2024-28248, GHSA-68mj-9pjq-mc85
Fixes golang/vulndb#2653
Change-Id: I38bc1778231b3c2584453ce6828260ae622be7f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/573655
Run-TryBot: Tim King <taking@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-2653.json b/data/osv/GO-2024-2653.json
new file mode 100644
index 0000000..9acb54b
--- /dev/null
+++ b/data/osv/GO-2024-2653.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2653",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-28248",
+ "GHSA-68mj-9pjq-mc85"
+ ],
+ "summary": "HTTP policy bypass in github.com/cilium/cilium",
+ "details": "Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cilium/cilium",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "1.13.9"
+ },
+ {
+ "fixed": "1.13.13"
+ },
+ {
+ "introduced": "1.14.0"
+ },
+ {
+ "fixed": "1.14.8"
+ },
+ {
+ "introduced": "1.15.0"
+ },
+ {
+ "fixed": "1.15.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://docs.cilium.io/en/stable/security/policy/language/#http"
+ }
+ ],
+ "credits": [
+ {
+ "name": "@romikps"
+ },
+ {
+ "name": "@sayboras"
+ },
+ {
+ "name": "@jrajahalme"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2653"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2653.yaml b/data/reports/GO-2024-2653.yaml
new file mode 100644
index 0000000..8f5898e
--- /dev/null
+++ b/data/reports/GO-2024-2653.yaml
@@ -0,0 +1,26 @@
+id: GO-2024-2653
+modules:
+ - module: github.com/cilium/cilium
+ versions:
+ - introduced: 1.13.9
+ fixed: 1.13.13
+ - introduced: 1.14.0
+ fixed: 1.14.8
+ - introduced: 1.15.0
+ fixed: 1.15.2
+ vulnerable_at: 1.15.1
+summary: HTTP policy bypass in github.com/cilium/cilium
+description: |-
+ Cilium's HTTP policies are not consistently applied to all traffic in the scope
+ of the policies, leading to HTTP traffic being incorrectly and intermittently
+ forwarded when it should be dropped.
+cves:
+ - CVE-2024-28248
+ghsas:
+ - GHSA-68mj-9pjq-mc85
+credits:
+ - '@romikps'
+ - '@sayboras'
+ - '@jrajahalme'
+references:
+ - web: https://docs.cilium.io/en/stable/security/policy/language/#http
