Calico
Calico is a cloud-native networking and network security CNI used on Kubernetes clusters worldwide. It provides pod networking, network policy enforcement, and optional BGP integration for bare-metal and hybrid environments. NVD tracks it as projectcalico:calico. It is a common alternative to Cilium on clusters that prefer a traditional iptables/eBPF policy model.
Querying Calico
calico3.28.0, 3.14.0, 3.13.3curl "https://api.attestd.io/v1/check?product=calico&version=3.14.0" \
-H "Authorization: Bearer $ATTESTD_KEY"Calico 3.14.0 is affected by CVE-2020-13597 (IPv6 route advertisement allows traffic redirection when IPv6 is enabled but unused). The aggregated response expects a non- none risk_state.
{
"product": "calico",
"version": "3.14.0",
"supported": true,
"risk_state": "medium",
"risk_factors": [
"information_disclosure",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": true,
"patch_available": true,
"fixed_version": "3.14.1",
"confidence": 0.79,
"cve_ids": ["CVE-2020-13597"],
"last_updated": "2026-05-22T00:00:00Z"
}Calico 3.28.0 is used as a patched-line example; confirm with live /v1/check after ingestion.
curl "https://api.attestd.io/v1/check?product=calico&version=3.28.0" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
NVD application-layer coverage for Calico is modest compared to Cilium or Envoy. Most documented issues involve node routing configuration, IPv6 handling, and privileged pod interactions with the host network stack.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2020-13597 | Compromised privileged pod can reconfigure node IPv6 interface via route advertisement when IPv6 is enabled but unused. | <= 3.14.0 | 6.0 |
CVE-2024-33522 | Incorrect SUID bit on the Calico CNI install binary allows a local node attacker to execute arbitrary binaries with elevated privileges. | <= 3.27.2 | 6.7 |