The vulnerability, tracked as GHSA-fcpm-6mxq-m5vv, enables privilege escalation attacks that fundamentally compromise the multi-tenant isolation model.
The security flaw resides in the namespace validation webhook logic within the pkg/webhook/namespace/validation/patch.go file, specifically in lines 60-77.
The vulnerability stems from insufficient validation logic that only enforces tenant ownership checks when a namespace already contains a tenant label.
System namespaces like kube-system, default, and capsule-system lack the capsule.clastix.io/tenant label by default, creating an exploitable bypass condition.
The attack vector follows a sophisticated multi-stage exploitation path: Label Injection → Namespace Selector → TenantResource/Quota Check → Cross-tenant Resource Access.
This vulnerability pattern mirrors the previously disclosed CVE-2024-39690 but utilizes label injection rather than ownerReference manipulation for privilege escalation.
Malicious actors can exploit this vulnerability through several attack vectors, including unauthorized access to cluster-wide resources, data exfiltration from system namespaces, and circumvention of network policies and security restrictions.
The vulnerability enables attackers to create TenantResource objects with selectors targeting injected labels, effectively granting access to sensitive system components and cross-tenant resources.
| Vulnerability Details | Specifications |
|---|---|
| CVE Identifier | GHSA-fcpm-6mxq-m5vv |
| Affected Versions | ≤0.10.3 |
| Patched Version | 0.10.4 |
| Severity Level | Critical |
| Attack Complexity | Low |
| Privileges Required | Authenticated Tenant User |
| CVSS Base Score | 9.1 (estimated) |
| Vulnerability Type | Authorization Bypass/Privilege Escalation |
Organizations utilizing Capsule for Kubernetes multi-tenancy must immediately upgrade to version 0.10.4, which addresses the namespace validation logic flaws.
The patch implements comprehensive validation checks for system namespace protection and enforces proper tenant boundary enforcement regardless of existing label presence.
Security teams should conduct thorough audits of existing namespace configurations, implement additional monitoring for unauthorized label modifications, and review TenantResource policies for potential exploitation indicators.
Network segmentation policies and RBAC configurations should be validated to ensure defense-in-depth protection against similar privilege escalation vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Critical Kubernetes Capsule Vulnerability Allows Arbitrary Namespace Label Injection appeared first on Cyber Security News.
Marvel Studios mastermind Kevin Feige has opened up about the decision to bring Robert Downey…
Project Hail Mary author Andy Weir has revealed his “only regret” about the movie, confirming…
Slay the Spire 2 developer Mega Crit has published a detailed roadmap for Slay the…
A new weekend has arrived, and today, you can save big on the 4K Movies,…
Resident Evil Requiem fans believe next month’s mysterious content update will add a new version…
Wrestlemania 42 is finally here, and I’m here in Las Vegas at Allegiant Stadium to…
This website uses cookies.