{"id":"GHSA-4hc4-pgfx-3mrx","summary":"cilium-agent container can access the host via `hostPath` mount","details":"### Impact\n\nAn attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. \n\n### Patches\n\nThe issue has been fixed and is available on versions \u003e=1.11.15, \u003e=1.12.8, \u003e=1.13.1.\n\n### Workarounds\n\n[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) should be used to deny users and service accounts `exec` access to Cilium agent pods.\n\nIn cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible.\n\n### References\n\n* [PR containing resolution](https://github.com/cilium/cilium/pull/24075)\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent and Form3 to prepare these mitigations. Special thanks to Anastasios Koutlis, Daniel Teixeira, and Magdalena Oczadly for their cooperation. \n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nAs usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority. ","aliases":["BIT-cilium-2023-27593","BIT-cilium-operator-2023-27593","BIT-cilium-proxy-2023-27593","BIT-hubble-2023-27593","BIT-hubble-relay-2023-27593","BIT-hubble-ui-2023-27593","BIT-hubble-ui-backend-2023-27593","CVE-2023-27593"],"modified":"2026-02-04T04:02:10.226366Z","published":"2023-03-17T18:20:46Z","related":["CGA-28pw-8h26-f76p"],"database_specific":{"cwe_ids":["CWE-276"],"github_reviewed":true,"github_reviewed_at":"2023-03-17T18:20:46Z","severity":"MODERATE","nvd_published_at":"2023-03-17T20:15:00Z"},"references":[{"type":"WEB","url":"https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27593"},{"type":"WEB","url":"https://github.com/cilium/cilium/pull/24075"},{"type":"PACKAGE","url":"https://github.com/cilium/cilium"},{"type":"WEB","url":"https://github.com/cilium/cilium/releases/tag/v1.11.15"},{"type":"WEB","url":"https://github.com/cilium/cilium/releases/tag/v1.12.8"},{"type":"WEB","url":"https://github.com/cilium/cilium/releases/tag/v1.13.1"},{"type":"WEB","url":"https://kubernetes.io/docs/reference/access-authn-authz/rbac"}],"affected":[{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.15"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4hc4-pgfx-3mrx/GHSA-4hc4-pgfx-3mrx.json"}},{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.12.0"},{"fixed":"1.12.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4hc4-pgfx-3mrx/GHSA-4hc4-pgfx-3mrx.json"}},{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.13.0"},{"fixed":"1.13.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4hc4-pgfx-3mrx/GHSA-4hc4-pgfx-3mrx.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"}]}