4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.0%
A bug in the RoleBinding reflector used by capsule-proxy
gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name.
solar
, owned by a ServiceAccount named tenant-owner
in the Namespace solar
wind
, owned by a ServiceAccount named tenant-owner
in the Namespace wind
> Please, notice the same ServiceAccount name, although in different namespaces.
The Tenant owner solar
would be able to list the namespaces of the Tenant wind
and vice-versa, although this is not correct.
The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions:
capsule-proxy
runs with the --disable-caching=false
(default value: false
)The CVE doesn’t allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/projectcapsule/capsule-proxy | le | 0.4.4 | |
github.com/projectcapsule/capsule | le | 0.4.4 |
github.com/advisories/GHSA-6758-979h-249x
github.com/projectcapsule/capsule-proxy/commit/615202f7b02eaec7681336bd63daed1f39ae00c5
github.com/projectcapsule/capsule-proxy/releases/tag/v0.4.5
github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-6758-979h-249x
nvd.nist.gov/vuln/detail/CVE-2023-46254
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
7.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.0%