Advisories for Golang/Github.com/Clastix/Capsule-Proxy package

capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated based on the TokenReview result. All the clusters running with the anonymous-auth Kubernetes API Server setting disable (set to false) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API …

capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious Connection header to start a privilege escalation attack towards the Kubernetes API Server. This vulnerability allows for an exploit of the cluster-admin Role bound to capsule-proxy. There are no known workarounds for this issue.