The vulnerability, tracked as GHSA-fcpm-6mxq-m5vv, enables privilege escalation attacks that fundamentally compromise the multi-tenant isolation model.
The security flaw resides in the namespace validation webhook logic within the pkg/webhook/namespace/validation/patch.go file, specifically in lines 60-77.
The vulnerability stems from insufficient validation logic that only enforces tenant ownership checks when a namespace already contains a tenant label.
System namespaces like kube-system, default, and capsule-system lack the capsule.clastix.io/tenant label by default, creating an exploitable bypass condition.
The attack vector follows a sophisticated multi-stage exploitation path: Label Injection → Namespace Selector → TenantResource/Quota Check → Cross-tenant Resource Access.
This vulnerability pattern mirrors the previously disclosed CVE-2024-39690 but utilizes label injection rather than ownerReference manipulation for privilege escalation.
Malicious actors can exploit this vulnerability through several attack vectors, including unauthorized access to cluster-wide resources, data exfiltration from system namespaces, and circumvention of network policies and security restrictions.
The vulnerability enables attackers to create TenantResource objects with selectors targeting injected labels, effectively granting access to sensitive system components and cross-tenant resources.
| Vulnerability Details | Specifications |
|---|---|
| CVE Identifier | GHSA-fcpm-6mxq-m5vv |
| Affected Versions | ≤0.10.3 |
| Patched Version | 0.10.4 |
| Severity Level | Critical |
| Attack Complexity | Low |
| Privileges Required | Authenticated Tenant User |
| CVSS Base Score | 9.1 (estimated) |
| Vulnerability Type | Authorization Bypass/Privilege Escalation |
Organizations utilizing Capsule for Kubernetes multi-tenancy must immediately upgrade to version 0.10.4, which addresses the namespace validation logic flaws.
The patch implements comprehensive validation checks for system namespace protection and enforces proper tenant boundary enforcement regardless of existing label presence.
Security teams should conduct thorough audits of existing namespace configurations, implement additional monitoring for unauthorized label modifications, and review TenantResource policies for potential exploitation indicators.
Network segmentation policies and RBAC configurations should be validated to ensure defense-in-depth protection against similar privilege escalation vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Critical Kubernetes Capsule Vulnerability Allows Arbitrary Namespace Label Injection appeared first on Cyber Security News.
Aether OS puts a full-fledged desktop in your browser that ties directly into the AT…
A new weekend has arrived, and today, you can save big on Trails in the…
data-anim is a JavaScript animation library that applies CSS-powered animations to HTML elements while scrolling/hovering/clicking/loading…
The <i-html> web component allows you to dynamically import HTML content inline, similar to an…
Can’t. Stop. Dancing. | Image: Wonderwheel Recordings Shout out to subscriber N_Gorski for today's pick.…
Many Chichester residents carved out their whole Saturday to participate in a marathon-length town meeting,…
This website uses cookies.