8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-46167

GHSA ID

GHSA-x45c-cvp8-q4fm

EPSS Score

0.22231%

CWE

CWE-863

Published

12/5/2022

Updated

1/31/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-46167

CVE-2022-46167: Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace

Capsule implements a multi-tenant and policy-based environment in a Kubernetes cluster. A ServiceAccount deployed in a Tenant Namespace, when granted with PATCH capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items.

With that said, an attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation.

Patches

Patches have been released for version 0.1.3 and all users must upgrade to this release.

Workarounds

N.A.

References

N.A.

For more information

If you have any questions or comments about this advisory:

Open an issue in github.com/clastix/capsule
Reach out on #capsule channel available on Kubernetes Slack workspace

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-46167

GHSA ID

GHSA-x45c-cvp8-q4fm

EPSS Score

0.22231%

CWE

CWE-863

Published

12/5/2022

Updated

1/31/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/clastix/capsule	go	<= 0.1.2	0.1.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key gaps:

Missing webhook validation for OwnerReference modifications in Namespaces, allowing detachment from Tenants.
Insufficient enforcement of nodeSelector annotations at the webhook layer. The commit 1df430e added critical webhook checks in owner_reference.go and user_metadata.go to address these issues. The vulnerable functions existed in the pre-patch code where these security checks were absent.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**psul* impl*m*nts * multi-t*n*nt *n* poli*y-**s** *nvironm*nt in * Ku**rn*t*s *lust*r. * S*rvi*****ount **ploy** in * T*n*nt N*m*sp***, w**n *r*nt** wit* `P*T**` **p**iliti*s on its own N*m*sp***, is **l* to **it it *n* r*mov* t** Own*r R***r*n**, *

Reasoning

T** vuln*r**ility st*mm** *rom two k*y **ps: *. Missin* w***ook v*li**tion *or Own*rR***r*n** mo*i*i**tions in N*m*sp***s, *llowin* **t***m*nt *rom T*n*nts. *. Insu**i*i*nt *n*or**m*nt o* no**S*l**tor *nnot*tions *t t** w***ook l*y*r. T** *ommit ****

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-46167: Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace

Patches

Workarounds

References

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI