Vulnerability Details : CVE-2023-36815
Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.
Products affected by CVE-2023-36815
- cpe:2.3:o:sealos:sealos:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36815
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 24 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36815
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
2.1
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2023-36815
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-36815
-
https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w
Sealos billing system permission control defect · Advisory · labring/sealos · GitHubThird Party Advisory
Jump to