SCA: security update for github.com/clastix/capsule (GHSA-x45c-cvp8-q4fm)

high Tenable Cloud Security Plugin ID 420274

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a
ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own
Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule
Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and
Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting
privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement
labels, and being able to start privileged containers that would be able to start a generic Kubernetes
privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available.
(CVE-2022-46167)

See Also

https://github.com/advisories/GHSA-x45c-cvp8-q4fm

Plugin Details

Severity: High

ID: 420274

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-46167

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/5/2022

Vulnerability Publication Date: 12/2/2022

Reference Information

CVE: CVE-2022-46167

cwe: CWE-863