4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-46254

CVE-2023-46254: capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name

Summary

A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name.

Details

Tenant solar, owned by a ServiceAccount named tenant-owner in the Namespace solar
Tenant wind, owned by a ServiceAccount named tenant-owner in the Namespace wind

Please, notice the same ServiceAccount name, although in different namespaces.

The Tenant owner solar would be able to list the namespaces of the Tenant wind and vice-versa, although this is not correct.

The bug introduces an exfiltration vulnerability since allows the listing of Namespace resources of other Tenants, although just in some specific conditions:

capsule-proxy runs with the --disable-caching=false (default value: false)
Tenant owners are ServiceAccount, with the same resource name, but in different Namespaces.

The CVE doesn't allow any privilege escalation on the outer tenant Namespace-scoped resources, since the Kubernetes RBAC is enforcing this.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-46254

CVE-2023-46254:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/projectcapsule/capsule	go	<= 0.4.4	0.4.5
github.com/projectcapsule/capsule-proxy	go	<= 0.4.4	0.4.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key flaws in role_bindings.go: 1) In GetUserNamespacesFromRequest, ServiceAccount usernames were parsed without preserving namespace context, creating ambiguous identifiers. 2) OwnerRoleBindingsIndexFunc constructed index keys without namespace qualification for Subject references. The patch explicitly addresses both by: a) Appending namespace to ServiceAccount usernames (fmt.Sprintf("%s-%s", namespace, name)), and b) Including Subject.Namespace in index key construction when available. These changes directly correlate to the described vulnerability scenario where same-name ServiceAccounts in different namespaces were improperly considered equivalent.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-46254: capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name

Summary

Details

CVE-2023-46254:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.3

4.3

CVE-2023-46254: capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name

Summary

Details

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI