Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/projectcapsule/capsule-proxy: CVE-2023-46254 #2179

Closed
GoVulnBot opened this issue Nov 6, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/projectcapsule/capsule-proxy: CVE-2023-46254 #2179

GoVulnBot opened this issue Nov 6, 2023 · 3 comments
Assignees
@zpavlinovic
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-46254 references github.com/projectcapsule/capsule-proxy, which may be a Go module.

Description:
capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar and wind. Tenant solar, owned by a ServiceAccount named tenant-owner in the Namespace solar. Tenant wind, owned by a ServiceAccount named tenant-owner in the Namespace wind. The Tenant owner solar would be able to list the namespaces of the Tenant wind and vice-versa, although this is not correct. The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions: 1. capsule-proxy runs with the --disable-caching=false (default value: false) and 2. Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces. This vulnerability doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this. This issue has been addressed in version 0.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/projectcapsule/capsule-proxy
      vulnerable_at: 0.4.5
      packages:
        - package: capsule-proxy
cves:
    - CVE-2023-46254
references:
    - advisory: https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-6758-979h-249x
    - fix: https://github.com/projectcapsule/capsule-proxy/commit/615202f7b02eaec7681336bd63daed1f39ae00c5
@zpavlinovic zpavlinovic self-assigned this Nov 7, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Nov 7, 2023
@zpavlinovic
Copy link
Contributor

Add-on/binary. No known importers.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/540675 mentions this issue: data/excluded: batch add 3 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Nov 24, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592763 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot