CVE-2022-46167 HIGH

CVE-2022-46167: Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace

Vendor Clastix
Product capsule
Weakness CWE-863 · Incorrect authorization
Published December 2, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available.

Key dates

02Disclosure timeline

December 2, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-29773 kubewarden-controller cross-namespace data exfiltration via deprecated host callback binding CVE-2026-41910 OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes CVE-2025-1472 Unauthorized View Access to Site Statistics and Team Statistics CVE-2024-29834 Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints CVE-2025-3880 Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.9.0 - Incorrect Authorization to Authenticated (Contributor+) Plugin Settings Update