CVE-2023-46254
MEDIUM4.3EPSS 0.23%capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name
Description
### Summary A bug in the RoleBinding reflector used by `capsule-proxy` gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. ### Details - Tenant `solar`, owned by a ServiceAccount named `tenant-owner` in the Namespace `solar` - Tenant `wind`, owned by a ServiceAccount named `tenant-owner` in the Namespace `wind` > Please, notice the same ServiceAccount name, although in different namespaces. The Tenant owner `solar` would be able to list the namespaces of the Tenant `wind` and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. `capsule-proxy` runs with the `--disable-caching=false` (default value: `false`) 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. The CVE doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.
Affected packages (2)
- Go/github.com/projectcapsule/capsulefrom 0, < 0.4.5
- Go/github.com/projectcapsule/capsule-proxyfrom 0, < 0.4.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46254
- PATCHhttps://github.com/projectcapsule/capsule-proxy
- WEBhttps://github.com/projectcapsule/capsule-proxy/commit/615202f7b02eaec7681336bd63daed1f39ae00c5
- WEBhttps://github.com/projectcapsule/capsule-proxy/releases/tag/v0.4.5
- WEBhttps://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-6758-979h-249x