Описание
capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name
Summary
A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name.
Details
- Tenant
solar, owned by a ServiceAccount namedtenant-ownerin the Namespacesolar - Tenant
wind, owned by a ServiceAccount namedtenant-ownerin the Namespacewind
Please, notice the same ServiceAccount name, although in different namespaces.
The Tenant owner solar would be able to list the namespaces of the Tenant wind and vice-versa, although this is not correct.
The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions:
capsule-proxyruns with the--disable-caching=false(default value:false)- Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces.
The CVE doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.
Ссылки
Пакеты
github.com/projectcapsule/capsule
<= 0.4.4
0.4.5
github.com/projectcapsule/capsule-proxy
<= 0.4.4
0.4.5
Связанные уязвимости
capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by `capsule-proxy` gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants `solar` and `wind`. Tenant `solar`, owned by a ServiceAccount named `tenant-owner` in the Namespace `solar`. Tenant `wind`, owned by a ServiceAccount named `tenant-owner` in the Namespace `wind`. The Tenant owner `solar` would be able to list the namespaces of the Tenant `wind` and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. `capsule-proxy` runs with the `--disable-caching=false` (default value: `false`) and 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. This vulnerability doesn't allow any pri