CVE-2023-36815

2023-07-0318:15:09

CWE-862

[email protected]

web.nvd.nist.gov

cloud operating system

permission flaw

billing system

recharge resource account

rmb

charging interface

resource information

custom resource

namespace control

fix

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account sealos[.] io/v1/Payment, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user’s control and may have permission to correct it. It is not clear whether a fix exists.