CVE-2023-46254 – github.com/projectcapsule/capsule-proxy

Package

Manager: go
Name: github.com/projectcapsule/capsule-proxy
Vulnerable Version: >=0 <0.4.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00233 pctl0.46049

Details

capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name ### Summary A bug in the RoleBinding reflector used by `capsule-proxy` gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. ### Details - Tenant `solar`, owned by a ServiceAccount named `tenant-owner` in the Namespace `solar` - Tenant `wind`, owned by a ServiceAccount named `tenant-owner` in the Namespace `wind` > Please, notice the same ServiceAccount name, although in different namespaces. The Tenant owner `solar` would be able to list the namespaces of the Tenant `wind` and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. `capsule-proxy` runs with the `--disable-caching=false` (default value: `false`) 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. The CVE doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.

Metadata

Created: 2023-11-07T21:46:04Z
Modified: 2023-11-07T21:46:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-6758-979h-249x/GHSA-6758-979h-249x.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-6758-979h-249x
Finding: F310
Auto approve: 1