{"id":"GHSA-x989-52fc-4vr4","summary":"Unencrypted traffic between pods when using Wireguard and an external kvstore","details":"### Impact\n\nFor Cilium users who have enabled [an external kvstore](https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore) and [Wireguard transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg), traffic between pods in the affected cluster is not encrypted.\n\n### Patches\n\nThis issue affects Cilium v1.14 before v1.14.7.\n\nThis issue has been patched in Cilium v1.14.7.\n\n### Workarounds\n\nThere is no workaround to this issue - affected users are encouraged to upgrade.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @giorio94 and @gandro for their work on triaging and remediating this issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.\n","aliases":["BIT-cilium-2024-25631","BIT-cilium-operator-2024-25631","BIT-cilium-proxy-2024-25631","BIT-hubble-2024-25631","BIT-hubble-relay-2024-25631","BIT-hubble-ui-2024-25631","BIT-hubble-ui-backend-2024-25631","CVE-2024-25631","GO-2024-2569"],"modified":"2026-01-30T01:30:17.692691Z","published":"2024-02-20T23:45:16Z","related":["CGA-8rjw-rcv5-pvpw"],"database_specific":{"severity":"MODERATE","nvd_published_at":"2024-02-20T18:15:53Z","github_reviewed_at":"2024-02-20T23:45:16Z","github_reviewed":true,"cwe_ids":["CWE-311","CWE-319"]},"references":[{"type":"WEB","url":"https://github.com/cilium/cilium/security/advisories/GHSA-x989-52fc-4vr4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25631"},{"type":"WEB","url":"https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore"},{"type":"WEB","url":"https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg"},{"type":"PACKAGE","url":"https://github.com/cilium/cilium"},{"type":"WEB","url":"https://github.com/cilium/cilium/releases/tag/v1.14.7"}],"affected":[{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.14.0"},{"fixed":"1.14.7"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-x989-52fc-4vr4/GHSA-x989-52fc-4vr4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}