CVE-2023-36815
Last modified
CVE-2023-36815 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sealos | Sealos | <= 4.2.0 |
References
- https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34wThird Party Advisory
- https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34wThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-36815?
How severe is CVE-2023-36815?
How do I fix CVE-2023-36815?
Are you affected by CVE-2023-36815?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST