CVE-2023-36815

2023-07-0318:15:09

CWE-862

[email protected]

web.nvd.nist.gov

sealos

cloud operating system

permission flaw

billing system

resource account

recharge

cve-2023-36815

nvd

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

JSON

Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account sealos[.] io/v1/Payment, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user’s control and may have permission to correct it. It is not clear whether a fix exists.

Affected configurations

Vulners

NVD

Node

labringsealosRange≤4.2.0

CPENameOperatorVersion
sealos:sealossealosle4.2.0

CPE	Name	Operator	Version
sealos:sealos	sealos	le	4.2.0

CNA Affected

[
  {
    "vendor": "labring",
    "product": "sealos",
    "versions": [
      {
        "version": "<= 4.2.0",
        "status": "affected"
      }
    ]
  }
]