Advisories for Golang/Github.com/Projectcapsule/Capsule package

A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.

The tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. I would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.

capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar and wind. Tenant solar, owned by a ServiceAccount named tenant-owner in the Namespace solar. Tenant wind, owned by a ServiceAccount named tenant-owner in the Namespace …