CVE-2023-46254: 
capsule-proxy vulnerability analysis and mitigation

A bug in the RoleBinding reflector used by capsule-proxy, a reverse proxy for Capsule kubernetes multi-tenancy framework, was discovered affecting versions up to 0.4.4. The vulnerability allows ServiceAccount tenant owners to list Namespaces of other tenants that share the same owner kind and name, even though they should not have this access. This issue was disclosed on November 6, 2023, and has been assigned CVE-2023-46254 (Vendor Advisory).

The vulnerability occurs when two conditions are met: capsule-proxy runs with --disable-caching=false (which is the default setting) and Tenant owners are ServiceAccounts with the same resource name but in different Namespaces. For example, if there are two tenants 'solar' and 'wind', each owned by a ServiceAccount named 'tenant-owner' in their respective namespaces, the tenant owner 'solar' can list the namespaces of tenant 'wind' and vice-versa. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability enables information exfiltration by allowing the listing of Namespace resources of other Tenants. However, it's important to note that this vulnerability does not allow any privilege escalation on the outer tenant Namespace-scoped resources, as the Kubernetes RBAC continues to enforce access controls (Vendor Advisory).

This issue has been patched in version 0.4.5 of capsule-proxy. Users are advised to upgrade to this version or later. No alternative workarounds are available for this vulnerability (NVD).