Home > Vulnerability Database > CVE-2023-48312

Mend.io Vulnerability Database

CVE-2023-48312

Date: November 24, 2023

capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated based on the `TokenReview` result. All the clusters running with the `anonymous-auth` Kubernetes API Server setting disable (set to `false`) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server. This privilege escalation cannot be exploited if you're relying only on client certificates (SSL/TLS). This vulnerability has been addressed in version 0.4.6. Users are advised to upgrade.

Language: Go

Severity Score

9.8

Related Resources (5)

Url: https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823

Url: https://github.com/projectcapsule/capsule-proxy

Url: https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-48312

Url: https://www.mend.io/vulnerability-database/CVE-2023-48312

Severity Score

9.8

Weakness Type (CWE)

Improper Authentication

CWE-287

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-48312

Date: November 24, 2023

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?