4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.0%
capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy
gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar
and wind
. Tenant solar
, owned by a ServiceAccount named tenant-owner
in the Namespace solar
. Tenant wind
, owned by a ServiceAccount named tenant-owner
in the Namespace wind
. The Tenant owner solar
would be able to list the namespaces of the Tenant wind
and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. capsule-proxy
runs with the --disable-caching=false
(default value: false
) and 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. This vulnerability doesn’t allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this. This issue has been addressed in version 0.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
[
{
"vendor": "projectcapsule",
"product": "capsule-proxy",
"versions": [
{
"version": "< 0.4.5",
"status": "affected"
}
]
}
]
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.0%