CVE-2023-46254
capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name
Description
### Summary A bug in the RoleBinding reflector used by `capsule-proxy` gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. ### Details - Tenant `solar`, owned by a ServiceAccount named `tenant-owner` in the Namespace `solar` - Tenant `wind`, owned by a ServiceAccount named `tenant-owner` in the Namespace `wind` > Please, notice the same ServiceAccount name, although in different namespaces. The Tenant owner `solar` would be able to list the namespaces of the Tenant `wind` and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. `capsule-proxy` runs with the `--disable-caching=false` (default value: `false`) 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. The CVE doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.
How to fix CVE-2023-46254
To remediate CVE-2023-46254, upgrade the affected package to a fixed version below.
- —upgrade to 0.4.5 or later
- —upgrade to 0.4.5 or later
Is CVE-2023-46254 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.4.5