Xy585

**Name of the Vulnerable Software and Affected Versions** Capsule versions prior to 0.13.0 **Description** Capsule uses a webhook to validate update requests targeting namespaces to prevent namespace hijacking. However, the webhook fails to define interception rules for the 'namespace/finalize' and 'namespace/status' subresource APIs. Since these APIs can modify the metadata field of a namespace, a tenant administrator with permissions to modify these subresources can successfully perform namespace hijacking by altering the `ownerReferences` variable. **Recommendations** Update to version 0.13.0. As a temporary mitigation, add the 'namespaces', 'namespaces/status', and 'namespace/finalize' subresources to the resources list in the ValidatingWebhookConfiguration rules.