Vulnerability Description
Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sealos | Sealos | <= 4.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34wThird Party Advisory
- https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34wThird Party Advisory
FAQ
What is CVE-2023-36815?
CVE-2023-36815 is a vulnerability with a CVSS score of 7.3 (HIGH). Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control t...
How severe is CVE-2023-36815?
CVE-2023-36815 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-36815?
Check the references section above for vendor advisories and patch information. Affected products include: Sealos Sealos.