A user crafting an API request directed at capsule-proxy can get a privilege escalation using the Service Account of the proxy itself.
This is done by passing the Impersonate-User or Impersonate-Group header in the Connection header, using the same exploit described here: GHSA-pvxj-25m6-7vqr
At this point, instead of impersonating the user and their permissions, the request will act as if it was from the Rancher management server Capsule Proxy and incorrectly return the information.
The text was updated successfully, but these errors were encountered:
A user crafting an API request directed at
capsule-proxycan get a privilege escalation using the Service Account of the proxy itself.This is done by passing the
Impersonate-UserorImpersonate-Groupheader in theConnectionheader, using the same exploit described here: GHSA-pvxj-25m6-7vqrThe text was updated successfully, but these errors were encountered: