capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name

Summary

A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name.

Details

• Tenant solar, owned by a ServiceAccount named tenant-owner in the Namespace solar
• Tenant wind, owned by a ServiceAccount named tenant-owner in the Namespace wind

> Please, notice the same ServiceAccount name, although in different namespaces.

The Tenant owner solar would be able to list the namespaces of the Tenant wind and vice-versa, although this is not correct.

The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions:

1. capsule-proxy runs with the --disable-caching=false (default value: false)
2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces.

The CVE doesn’t allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.