Search criteria
6 vulnerabilities by Tigera
CVE-2026-41185 (GCVE-0-2026-41185)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:47 – Updated: 2026-05-28 17:03
VLAI
Title
ServiceAccount token disclosure via Azure IPAM CNI plugin logs
Summary
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation — once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of sensitive information into log file
Assigner
References
4 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Tigera | Calico |
Affected:
0 , < 3.32.0
(semver)
|
|
| Tigera | Calico Enterprise |
Affected:
0 , < 3.21.7
(semver)
Affected: 3.22.0 , < 3.22.3 (semver) |
|
| Tigera | Calico Cloud |
Affected:
0 , < 22.4.0
(semver)
|
Date Public
2026-05-29 03:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:03:45.985275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:03:54.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Calico",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.32.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Enterprise",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "3.22.3",
"status": "affected",
"version": "3.22.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Cloud",
"vendor": "Tigera",
"versions": [
{
"lessThan": "22.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.32.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.22.3",
"versionStartIncluding": "3.22.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.4.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Anthony Tam"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Matt Dupre"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Casey Davenport"
}
],
"datePublic": "2026-05-29T03:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eWhen Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (\u003c/span\u003e\u003cspan\u003estdinData\u003c/span\u003e\u003cspan\u003e) at \u003c/span\u003e\u003cspan\u003eINFO\u003c/span\u003e\u003cspan\u003e level to \u003c/span\u003e\u003cspan\u003e/var/log/calico/cni/cni.log\u003c/span\u003e\u003cspan\u003e on every CNI \u003c/span\u003e\u003cspan\u003eADD\u003c/span\u003e\u003cspan\u003e and \u003c/span\u003e\u003cspan\u003eDEL\u003c/span\u003e\u003cspan\u003e invocation \u2014 once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node\u0026nbsp; can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges.\u003c/span\u003e"
}
],
"value": "When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation \u2014 once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node\u00a0 can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of sensitive information into log file",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:47:42.791Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12502"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12527"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12526"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tigera.io/security-bulletins/tta-2026-002/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ServiceAccount token disclosure via Azure IPAM CNI plugin logs",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2026-41185",
"datePublished": "2026-05-28T15:47:42.791Z",
"dateReserved": "2026-04-17T17:41:35.905Z",
"dateUpdated": "2026-05-28T17:03:54.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6720 (GCVE-0-2026-6720)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:47 – Updated: 2026-05-28 17:04
VLAI
Title
Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
Summary
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Tigera | Calico |
Affected:
0 , < 3.32.0
(semver)
|
|
| Tigera | Calico Enterprise |
Affected:
0 , < 3.21.7
(semver)
Unaffected: 3.22.3 (semver) |
|
| Tigera | Calico Cloud |
Affected:
0 , < 22.4.0
(semver)
|
Date Public
2026-05-28 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:04:05.727153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:04:11.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Calico",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.32.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Enterprise",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.22.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Cloud",
"vendor": "Tigera",
"versions": [
{
"lessThan": "22.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.32.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.4.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Anthony Tam"
}
],
"datePublic": "2026-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eWhen \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e is invoked with \u003c/span\u003e\u003cspan\u003e--log-level=info\u003c/span\u003e\u003cspan\u003e or \u003c/span\u003e\u003cspan\u003e--log-level=debug\u003c/span\u003e\u003cspan\u003e, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e \u2014 can extract these credentials with zero Kubernetes privilege. \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e\u0027s default log level is \u003c/span\u003e\u003cspan\u003epanic\u003c/span\u003e\u003cspan\u003e, so this issue only triggers when verbose logging is explicitly enabled.\u003c/span\u003e"
}
],
"value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:47:42.519Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12535"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12536"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12537"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tigera.io/security-bulletins/tta-2026-003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2026-6720",
"datePublished": "2026-05-28T15:47:42.519Z",
"dateReserved": "2026-04-20T19:31:31.065Z",
"dateUpdated": "2026-05-28T17:04:11.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41184 (GCVE-0-2026-41184)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:47 – Updated: 2026-05-28 17:04
VLAI
Title
ServiceAccount token disclosure via install-cni container logs
Summary
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of sensitive information into log file
Assigner
References
4 references
Impacted products
Date Public
2026-05-28 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:04:29.437633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:04:36.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "cni-plugin",
"product": "Calico",
"vendor": "Tigera",
"versions": [
{
"status": "unaffected",
"version": "3.32.0",
"versionType": "semver"
},
{
"lessThan": "3.31.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico:3.32.0:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.31.6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Anthony Tam"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Matt Dupre"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Casey Davenport"
}
],
"datePublic": "2026-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eIn Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the \u003c/span\u003e\u003cspan\u003e__SERVICEACCOUNT_TOKEN__\u003c/span\u003e\u003cspan\u003e placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with \u003c/span\u003e\u003cspan\u003epods/log\u003c/span\u003e\u003cspan\u003e permission in the namespace with calico-node. The token holds \u003c/span\u003e\u003cspan\u003epatch\u003c/span\u003e\u003cspan\u003e privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001.\u003c/span\u003e"
}
],
"value": "In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of sensitive information into log file",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:47:42.173Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12502"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12527"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12526"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tigera.io/security-bulletins/tta-2026-001/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "ServiceAccount token disclosure via install-cni container logs",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2026-41184",
"datePublished": "2026-05-28T15:47:42.173Z",
"dateReserved": "2026-04-17T17:41:35.905Z",
"dateUpdated": "2026-05-28T17:04:36.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-33522 (GCVE-0-2024-33522)
Vulnerability from cvelistv5 – Published: 2024-04-29 22:19 – Updated: 2024-08-02 02:36
VLAI
Title
Privilege escalation in Calico CNI install binary
Summary
In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue arises from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/projectcalico/calico/issues/7981 | exploitissue-tracking |
| https://github.com/projectcalico/calico/pull/8447 | patch |
| https://github.com/projectcalico/calico/pull/8517 | patch |
| https://www.tigera.io/security-bulletins-tta-2024-001/ | vendor-advisory |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Tigera | Calico |
Affected:
0 , < v3.26.5
(semver)
Affected: v3.27.0 , < v3.27.3 (semver) Unaffected: v3.28.0 |
|
| Tigera | Calico Enterprise |
Affected:
0 , < v3.17.4
(semver)
Affected: v3.18.0 , < v3.18.2 (semver) Affected: v3.19.0-1.0 , < v3.19.0-2.0 (semver) |
|
| Tigera | Calico Cloud |
Affected:
0 , < v19.3.0
(semver)
|
|
| tigera | calico |
Affected:
0 , < v3.26.5
(semver)
Affected: v3.27.0 , < v3.27.3 (semver) Unaffected: v3.28.0 cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:* |
|
| tigera | calico_enterprise |
Affected:
0 , < v3.17.4
(semver)
Affected: v3.18.0 , < v3.18.2 (semver) Affected: v3.19.0-1.0 , < v3.19.0-2.0 (semver) cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:* |
|
| tigera | calico_cloud |
Affected:
0 , < v19.3.0
(semver)
cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:* |
Date Public
2024-04-29 19:57
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "calico",
"vendor": "tigera",
"versions": [
{
"lessThan": "v3.26.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "v3.27.3",
"status": "affected",
"version": "v3.27.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "v3.28.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "calico_enterprise",
"vendor": "tigera",
"versions": [
{
"lessThan": "v3.17.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "v3.18.2",
"status": "affected",
"version": "v3.18.0",
"versionType": "semver"
},
{
"lessThan": "v3.19.0-2.0",
"status": "affected",
"version": "v3.19.0-1.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "calico_cloud",
"vendor": "tigera",
"versions": [
{
"lessThan": "v19.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-33522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T16:51:23.967533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T17:09:59.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.113Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/projectcalico/calico/issues/7981"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/projectcalico/calico/pull/8447"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/projectcalico/calico/pull/8517"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.tigera.io/security-bulletins-tta-2024-001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "cni-plugin",
"product": "Calico",
"repo": "https://www.tigera.io/tigera-products/calico/",
"vendor": "Tigera",
"versions": [
{
"lessThan": "v3.26.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "v3.27.3",
"status": "affected",
"version": "v3.27.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "v3.28.0"
}
]
},
{
"defaultStatus": "unaffected",
"packageName": "cni-plugin",
"product": "Calico Enterprise ",
"vendor": "Tigera",
"versions": [
{
"lessThan": "v3.17.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "v3.18.2",
"status": "affected",
"version": "v3.18.0",
"versionType": "semver"
},
{
"lessThan": "v3.19.0-2.0",
"status": "affected",
"version": "v3.19.0-1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageName": "cni-plugin",
"product": "Calico Cloud",
"vendor": "Tigera",
"versions": [
{
"lessThan": "v19.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Alonso (Github: @latortuga71)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Anthony Tam"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pedro Coutinho"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Matt Dupre"
}
],
"datePublic": "2024-04-29T19:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eIn vulnerable \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eversions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue arises from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue arises from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-29T22:19:06.908Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/projectcalico/calico/issues/7981"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/8447"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/8517"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tigera.io/security-bulletins-tta-2024-001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in Calico CNI install binary",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2024-33522",
"datePublished": "2024-04-29T22:19:06.908Z",
"dateReserved": "2024-04-23T16:32:33.170Z",
"dateUpdated": "2024-08-02T02:36:04.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41378 (GCVE-0-2023-41378)
Vulnerability from cvelistv5 – Published: 2023-11-06 15:00 – Updated: 2024-09-05 13:40
VLAI
Title
Calico Typha hangs during unclean TLS handshake
Summary
In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tigera.io/security-bulletins-tta-2023-001/ | vendor-advisoryrelease-notes |
| https://github.com/projectcalico/calico/pull/7908 | issue-tracking |
| https://github.com/projectcalico/calico/pull/7993 | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Calico | Typha |
Affected:
v3.26.0 , ≤ v3.26.2
(semver)
Affected: 0 , ≤ v3.25.1 (semver) |
|
| Tigera | Typha |
Affected:
v3.17.0 , ≤ v3.17.1
(semver)
Affected: v3.16.0 , ≤ v3.16.3 (semver) Affected: 0 , ≤ v3.15.3 (semver) |
|
| calico | typha |
Affected:
v3.26.0 , ≤ v3.26.2
(semver)
Affected: 0 , ≤ v3.25.1 (semver) cpe:2.3:a:calico:typha:*:*:*:*:*:*:*:* |
|
| tigera | calico |
Affected:
v3.17.0 , ≤ v3.17.1
(semver)
Affected: v3.16.0 , ≤ v3.16.3 (semver) Affected: 0 , ≤ v3.15.3 (semver) cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:* |
Date Public
2023-11-06 15:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:35.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"release-notes",
"x_transferred"
],
"url": "https://www.tigera.io/security-bulletins-tta-2023-001/"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/projectcalico/calico/pull/7908"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/projectcalico/calico/pull/7993"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:calico:typha:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "typha",
"vendor": "calico",
"versions": [
{
"lessThanOrEqual": "v3.26.2",
"status": "affected",
"version": "v3.26.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v3.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "calico",
"vendor": "tigera",
"versions": [
{
"lessThanOrEqual": "v3.17.1",
"status": "affected",
"version": "v3.17.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v3.16.3",
"status": "affected",
"version": "v3.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v3.15.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:31:52.190285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:40:37.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Typha",
"vendor": "Calico",
"versions": [
{
"lessThanOrEqual": "v3.26.2",
"status": "affected",
"version": "v3.26.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v3.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Typha",
"vendor": "Tigera",
"versions": [
{
"lessThanOrEqual": "v3.17.1",
"status": "affected",
"version": "v3.17.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v3.16.3",
"status": "affected",
"version": "v3.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v3.15.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rodrigo Fior Kuntzer (Github: rodrigorfk)"
},
{
"lang": "en",
"type": "remediation verifier",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Anthony Tam"
},
{
"lang": "en",
"type": "remediation reviewer",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Shaun Crampton"
},
{
"lang": "en",
"type": "remediation reviewer",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Matt Dupre"
}
],
"datePublic": "2023-11-06T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eIn certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T15:00:53.249Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"vendor-advisory",
"release-notes"
],
"url": "https://www.tigera.io/security-bulletins-tta-2023-001/"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/projectcalico/calico/pull/7908"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/7993"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calico Typha hangs during unclean TLS handshake",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2023-41378",
"datePublished": "2023-11-06T15:00:53.249Z",
"dateReserved": "2023-08-29T17:03:16.306Z",
"dateUpdated": "2024-09-05T13:40:37.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28224 (GCVE-0-2022-28224)
Vulnerability from cvelistv5 – Published: 2022-06-06 17:19 – Updated: 2024-09-16 20:31
VLAI
Title
Calico and Calico Enterprise may be vulnerable to route hijacking with the floating IP feature
Summary
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
Severity
5.5 (Medium)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.tigera.io/security-bulletins-tta-2022-001/ | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Tigera | Calico Enterprise |
Affected:
unspecified , ≤ v3.12.0
(custom)
|
|
| Project Calico | Calico |
Affected:
unspecified , ≤ v3.22.1
(custom)
|
Date Public
2022-06-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tigera.io/security-bulletins-tta-2022-001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Calico Enterprise",
"vendor": "Tigera",
"versions": [
{
"lessThanOrEqual": "v3.12.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Calico",
"vendor": "Project Calico",
"versions": [
{
"lessThanOrEqual": "v3.22.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-06-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Information Exposure Through Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-06T17:19:12.000Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tigera.io/security-bulletins-tta-2022-001/"
}
],
"title": "Calico and Calico Enterprise may be vulnerable to route hijacking with the floating IP feature",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@tigera.io",
"DATE_PUBLIC": "2022-06-01T21:01:00.000Z",
"ID": "CVE-2022-28224",
"STATE": "PUBLIC",
"TITLE": "Calico and Calico Enterprise may be vulnerable to route hijacking with the floating IP feature"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Calico Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "v3.12.0"
}
]
}
}
]
},
"vendor_name": "Tigera"
},
{
"product": {
"product_data": [
{
"product_name": "Calico",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "v3.22.1"
}
]
}
}
]
},
"vendor_name": "Project Calico"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-201 Information Exposure Through Sent Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tigera.io/security-bulletins-tta-2022-001/",
"refsource": "MISC",
"url": "https://www.tigera.io/security-bulletins-tta-2022-001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2022-28224",
"datePublished": "2022-06-06T17:19:12.810Z",
"dateReserved": "2022-03-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:31:41.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}