Vulnerabilities > CVE-2023-36815 - Missing Authorization vulnerability in Sealos

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

sealos

CWE-862

NVD

Published: 2023-07-03

Updated: 2023-07-10

Summary

Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.

Vulnerable Configurations

Part	Description	Count
OS	Sealos Sealos Sealos *	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w