CVE-2023-33190

2023-06-2919:15:08

CWE-287

CWE-863

GitHub_M

web.nvd.nist.gov

sealos

kubernetes

rbac

cve-2023-33190

cloud operating system

nvd

vulnerability

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

61.2%

JSON

Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.1-rc4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Vulners

Node

sealos_projectsealosRange<4.2.1

sealos_projectsealosMatch4.2.1rc1

sealos_projectsealosMatch4.2.1rc2

sealos_projectsealosMatch4.2.1rc3

VendorProductVersionCPE
sealos_projectsealos*cpe:2.3:o:sealos_project:sealos:*:*:*:*:*:*:*:*
sealos_projectsealos4.2.1cpe:2.3:o:sealos_project:sealos:4.2.1:rc1:*:*:*:*:*:*
sealos_projectsealos4.2.1cpe:2.3:o:sealos_project:sealos:4.2.1:rc2:*:*:*:*:*:*
sealos_projectsealos4.2.1cpe:2.3:o:sealos_project:sealos:4.2.1:rc3:*:*:*:*:*:*

Vendor	Product	Version	CPE
sealos_project	sealos	*	cpe:2.3:o:sealos_project:sealos::::::::
sealos_project	sealos	4.2.1	cpe:2.3:o:sealos_project:sealos:4.2.1:rc1::::::
sealos_project	sealos	4.2.1	cpe:2.3:o:sealos_project:sealos:4.2.1:rc2::::::
sealos_project	sealos	4.2.1	cpe:2.3:o:sealos_project:sealos:4.2.1:rc3::::::

CNA Affected

[
  {
    "vendor": "labring",
    "product": "sealos",
    "versions": [
      {
        "version": "< 4.2.1-rc4",
        "status": "affected"
      }
    ]
  }
]