Capsule is a multi-tenancy and policy-based Kubernetes framework where the Capsule Controller operates with cluster-admin privileges. Before version 0.13.0, the logic that processes TenantResource RawItems forcibly sets namespaces but fails to restrict creation of cluster-scoped resources such as ClusterRole and ValidatingWebhookConfiguration. Tenant administrators with Tenant Owner privileges can exploit this to create cluster-scoped resources indirectly via the Controller's elevated privileges, resulting in cross-tenant privilege escalation. The attack requires the Capsule Controller to run with cluster-admin privileges (default) and is limited by the presence of admission controllers that may block such resource creation. Version 0.13.0 includes a patch that addresses this improper input validation vulnerability.

An attacker with Tenant Owner privileges can leverage this vulnerability to escalate privileges beyond their tenant scope by creating cluster-scoped resources through the Capsule Controller's elevated privileges. This can lead to unauthorized cluster-level modifications and attacks affecting multiple tenants. The impact is limited by the requirement of Tenant Owner privileges, the default cluster-admin privilege configuration of the Capsule Controller, and potential cluster admission controllers that may block malicious resource creation.

Upgrade to Capsule version 0.13.0 or later, where this vulnerability is patched. Since the Capsule Controller runs with cluster-admin privileges by default, consider reviewing and restricting these privileges if possible. Additionally, implement or verify the presence of admission controllers that can block unauthorized cluster-scoped resource creation. Patch status is not explicitly confirmed in the vendor advisory, but version 0.13.0 is stated as the fixed release.