Home > Vulnerability Database > CVE-2023-48312

Mend.io Vulnerability Database

CVE-2023-48312

Good to know:

Date: November 24, 2023

capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated based on the `TokenReview` result. All the clusters running with the `anonymous-auth` Kubernetes API Server setting disable (set to `false`) are affected since it would be possible to bypass the token review mechanism, interacting with the upper Kubernetes API Server. This privilege escalation cannot be exploited if you're relying only on client certificates (SSL/TLS). This vulnerability has been addressed in version 0.4.6. Users are advised to upgrade.

Language: Go

Severity Score

4.4

Related Resources (4)

Url: https://github.com/projectcapsule/capsule-proxy/commit/472404f7006a4152e4eec76dee07324dd1e6e823

Url: https://github.com/projectcapsule/capsule-proxy/security/advisories/GHSA-fpvw-6m5v-hqfp

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-48312

Url: https://www.mend.io/vulnerability-database/CVE-2023-48312

Severity Score

4.4

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

Upgrade Version

Upgrade to version v0.4.6

Learn More

CVSS v3.1

Base Score:	4.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-48312

Good to know:

Date: November 24, 2023

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?