x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4hc4-pgfx-3mrx

[GoVulnBot]

In GitHub Security Advisory GHSA-4hc4-pgfx-3mrx, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cilium/cilium	1.13.1	>= 1.13.0, < 1.13.1

Cross references:

• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97 #393 EFFECTIVELY_PRIVATE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29178 #457 EFFECTIVELY_PRIVATE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29179 #458 EFFECTIVELY_PRIVATE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-wc5v-r48v-g4vh #530 NOT_GO_CODE
• Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pfhr-pccp-hwmh #959 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.13.0
        fixed: 1.13.1
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.12.0
        fixed: 1.12.8
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - fixed: 1.11.15
    packages:
      - package: github.com/cilium/cilium
summary: cilium-agent container can access the host via `hostPath` mount
description: "### Impact\n\nAn attacker with access to a Cilium agent pod can write
    to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod.
    By replacing the CNI binary with their own malicious binary and waiting for the
    creation of a new pod on the node, the attacker can gain access to the underlying
    node. \n\n### Patches\n\nThe issue has been fixed and is available on versions
    >=1.11.15, >=1.12.8, >=1.13.1.\n\n### Workarounds\n\n[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
    should be used to deny users and service accounts `exec` access to Cilium agent
    pods.\n\nIn cases where a user requires `exec` access to Cilium agent pods, but
    should not have access to the underlying node, no workaround is possible.\n\n###
    References\n\n* [PR containing resolution](https://github.com/cilium/cilium/pull/24075)\n\n###
    Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent
    and Form3 to prepare these mitigations. Special thanks to Anastasios Koutlis,
    Daniel Teixeira, and Magdalena Oczadly for their cooperation. \n\n### For more
    information\n\nIf you have any questions or comments about this advisory, please
    reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nAs
    usual, if you think you found a related vulnerability, we strongly encourage you
    to report security vulnerabilities to our private security mailing list: security@cilium.io
    - first, before disclosing them in any public forums. This is a private mailing
    list where only members of the Cilium internal security team are subscribed to,
    and is treated as top priority. "
cves:
  - CVE-2023-27593
ghsas:
  - GHSA-4hc4-pgfx-3mrx
references:
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx
  - fix: https://github.com/cilium/cilium/pull/24075
  - advisory: https://github.com/advisories/GHSA-4hc4-pgfx-3mrx