{"id":"GO-2024-2657","summary":"Unencrypted traffic between nodes with WireGuard in github.com/cilium/cilium","details":"In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.","aliases":["BIT-cilium-2024-28250","BIT-cilium-operator-2024-28250","BIT-cilium-proxy-2024-28250","BIT-hubble-2024-28250","BIT-hubble-relay-2024-28250","BIT-hubble-ui-2024-28250","BIT-hubble-ui-backend-2024-28250","CVE-2024-28250","GHSA-v6q2-4qr3-5cw6"],"modified":"2026-03-17T04:49:07.825776Z","published":"2024-03-22T18:38:17Z","related":["CGA-3vfx-4363-m729"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2657"},"references":[{"type":"ADVISORY","url":"https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6"}],"affected":[{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.14.0"},{"fixed":"1.14.8"},{"introduced":"1.15.0"},{"fixed":"1.15.2"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2657.json"}}],"schema_version":"1.7.5","credits":[{"name":"@brb"},{"name":"@giorio94"},{"name":"@gandro"},{"name":"@jschwinger233"}]}