{"id":"GO-2024-2656","summary":"Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium","details":"In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.","aliases":["BIT-cilium-2024-28249","BIT-cilium-operator-2024-28249","BIT-cilium-proxy-2024-28249","BIT-hubble-2024-28249","BIT-hubble-relay-2024-28249","BIT-hubble-ui-2024-28249","BIT-hubble-ui-backend-2024-28249","CVE-2024-28249","GHSA-j89h-qrvr-xc36"],"modified":"2026-02-04T03:34:27.842721Z","published":"2024-03-22T18:39:28Z","related":["CGA-hr2x-8q2x-77c9"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2656","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36"}],"affected":[{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.13.13"},{"introduced":"1.14.0"},{"fixed":"1.14.8"},{"introduced":"1.15.0"},{"fixed":"1.15.2"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2656.json"}}],"schema_version":"1.7.3","credits":[{"name":"@jschwinger233"},{"name":"@julianwiedmann"},{"name":"@giorio94"},{"name":"@jrajahalme"}]}