capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name
Moderate severity
GitHub Reviewed
Published
Nov 6, 2023
in
projectcapsule/capsule-proxy
•
Updated Nov 7, 2023
Description
Published by the National Vulnerability Database
Nov 6, 2023
Published to the GitHub Advisory Database
Nov 7, 2023
Reviewed
Nov 7, 2023
Last updated
Nov 7, 2023
Summary
A bug in the RoleBinding reflector used by
capsule-proxygives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name.Details
solar, owned by a ServiceAccount namedtenant-ownerin the Namespacesolarwind, owned by a ServiceAccount namedtenant-ownerin the NamespacewindThe Tenant owner
solarwould be able to list the namespaces of the Tenantwindand vice-versa, although this is not correct.The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions:
capsule-proxyruns with the--disable-caching=false(default value:false)The CVE doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.
References