Vulnerability Description
capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious `Connection` header to start a privilege escalation attack towards the Kubernetes API Server. This vulnerability allows for an exploit of the `cluster-admin` Role bound to `capsule-proxy`. There are no known workarounds for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Clastix | Capsule-Proxy | < 0.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/clastix/capsule-proxy/commit/efe91f68ebf8a9e3d21491dc57da7b8aPatchThird Party Advisory
- https://github.com/clastix/capsule-proxy/issues/188ExploitIssue TrackingThird Party Advisory
- https://github.com/clastix/capsule-proxy/security/advisories/GHSA-9cwv-cppx-mqjmThird Party Advisory
- https://github.com/clastix/capsule-proxy/commit/efe91f68ebf8a9e3d21491dc57da7b8aPatchThird Party Advisory
- https://github.com/clastix/capsule-proxy/issues/188ExploitIssue TrackingThird Party Advisory
- https://github.com/clastix/capsule-proxy/security/advisories/GHSA-9cwv-cppx-mqjmThird Party Advisory
FAQ
What is CVE-2022-23652?
CVE-2022-23652 is a vulnerability with a CVSS score of 8.8 (HIGH). capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious `Con...
How severe is CVE-2022-23652?
CVE-2022-23652 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23652?
Check the references section above for vendor advisories and patch information. Affected products include: Clastix Capsule-Proxy.