Improper Authentication in Capsule Proxy
High severity
GitHub Reviewed
Published
Feb 20, 2022
in
projectcapsule/capsule-proxy
•
Updated Feb 3, 2023
Package
Affected versions
< 0.2.1
Patched versions
0.2.1
Description
Published by the National Vulnerability Database
Feb 22, 2022
Published to the GitHub Advisory Database
Feb 23, 2022
Reviewed
Feb 23, 2022
Last updated
Feb 3, 2023
Impact
Using a malicious
Connection
header, an attacker with a proper authentication mechanism could start a privilege escalation towards the Kubernetes API Server, being able to exploit thecluster-admin
Role bound tocapsule-proxy
.Patches
Patch has been merged in the v0.2.1 release.
Workarounds
Upgrading is mandatory.
References