CVE-2023-36815 HIGH

CVE-2023-36815: Sealos billing system permission control defect

Vendor Labring

Product sealos

Weakness CWE-862 · Missing authorization

Published July 3, 2023

Last update November 6, 2024

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.

Key dates

02Disclosure timeline

July 3, 2023 CVE published

November 6, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-36815 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

CVE-2023-36815: Sealos billing system permission control defect

01Description

02Disclosure timeline

03References

04Related CVE