Psc4Re

**Name of the Vulnerable Software and Affected Versions** capsule-proxy versions prior to 0.4.6 **Description** The issue is a privilege escalation vulnerability based on a missing check if the user is authenticated based on the `TokenReview` result. This affects clusters running with the `anonymous-auth` Kubernetes API Server setting disabled (set to `false`), allowing bypass of the token review mechanism and interaction with the upper Kubernetes API Server. The vulnerability cannot be exploited if relying only on client certificates (SSL/TLS). **Recommendations** For versions prior to 0.4.6, upgrade to version 0.4.6 to address the vulnerability. As a temporary workaround, consider disabling the `anonymous-auth` feature or restricting access to the `capsule-proxy` until the issue is resolved. Restrict access to the Kubernetes API Server to minimize the risk of exploitation. Avoid using empty tokens in the `Authorization` header until the issue is resolved.