PT-2023-29934 · Unknown · Capsule-Proxy
Mtheeren-Asml
·
Published
2023-11-06
·
Updated
2023-11-14
·
CVE-2023-46254
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
capsule-proxy versions prior to 0.4.5
Description
A bug in the RoleBinding reflector used by
capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. This introduces an exfiltration vulnerability, allowing the listing of Namespace resources of other Tenants under specific conditions:capsule-proxyruns with the--disable-caching=falseand- Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. This issue does not allow any privilege escalation on the outer tenant Namespace-scoped resources, as the Kubernetes RBAC is enforcing this.
Recommendations
For versions prior to 0.4.5, upgrade to version 0.4.5 to address the issue.
As a temporary workaround, consider setting
--disable-caching=true to mitigate the risk of exploitation.
Restrict access to the capsule-proxy to minimize the risk of exploitation.
Avoid using the same ServiceAccount name for different tenants in different Namespaces until the issue is resolved.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Capsule-Proxy