Capsule Namespace Label Injection Vulnerability Allowing Privilege Escalation

A namespace label injection vulnerability exists in Capsule versions through 0.10.3. This vulnerability allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation. The injection can potentially be exploited to access cross-tenant resources through TenantResource selectors, leading to privilege escalation and a violation of the security boundaries that Capsule is designed to enforce.

Impact

Exploitation of this vulnerability allows for an authorization bypass, enabling tenant users to inject labels into system namespaces. This injection can be exploited to access cross-tenant resources, bypass resource quotas, and circumvent network and security policies. The vulnerability also poses a risk of unauthorized access to sensitive data, such as secrets and configmaps, in the affected system namespaces.

Reproduction

To reproduce this vulnerability, first set up a Minikube cluster and install Capsule v0.10.3. Create a tenant and an authenticated user with basic RBAC permissions. Once the environment is ready, switch to the context of the user and inject malicious labels into one of the unprotected system namespaces, such as kube-system. After successfully injecting the labels, create a TenantResource that targets the injected labels and verify access to the cross-tenant resources.

Remediation

Users can upgrade to Capsule version 0.10.4, which addresses this vulnerability.