Lucene search

Veracode Vulnerability DatabaseVERACODE:44163

HistoryNov 07, 2023 - 5:40 a.m.

Information Disclosure

2023-11-0705:40:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

github

information disclosure

role bindings

privilege

namespaces

tenants

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.0%

JSON

github.com/clastix/capsule-proxy is vulnerable to Information Disclosure. The vulnerability is present in role_bindings.go which grants ServiceAccount tenant owners the privilege to list namespaces of other tenants that share the same owner kind and name. Consequently, this allows owners of different tenants, even if they have the same ServiceAccount name, to access and view namespaces of colliding tenants.

CPENameOperatorVersion
github.com/clastix/capsule-proxylev0.4.4
github.com/clastix/capsule-proxylehelm-v0.4.9
github.com/clastix/capsule-proxylev0.4.4
github.com/clastix/capsule-proxylehelm-v0.4.9

Name	Operator	Version
github.com/clastix/capsule-proxy	le	v0.4.4
github.com/clastix/capsule-proxy	le	helm-v0.4.9
github.com/clastix/capsule-proxy	le	v0.4.4
github.com/clastix/capsule-proxy	le	helm-v0.4.9

References

github.com/projectcapsule/capsule-proxy/commit/615202f7b02eaec7681336bd63daed1f39ae00c5

github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-6758-979h-249x

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.0%

JSON

Related for VERACODE:44163