CVE-2022-46167

Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace

Description

Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available.

Category

8.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.07%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: clastix capsule
Published at:
Updated at:

References

Link Tags
https://github.com/clastix/capsule/security/advisories/GHSA-x45c-cvp8-q4fm third party advisory
https://github.com/clastix/capsule/commit/1df430e71be8c4778c82eca3459978ad7d0b4b7b third party advisory patch
https://github.com/clastix/capsule/commit/75525ac19254b0c5111e34d7985e2be7bc8b1ac1 third party advisory patch
https://github.com/clastix/capsule/releases/tag/v0.1.3 patch third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2022-46167?
CVE-2022-46167 has been scored as a high severity vulnerability.
How to fix CVE-2022-46167?
To fix CVE-2022-46167, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-46167 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-46167 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-46167?
CVE-2022-46167 affects clastix capsule.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.