CVE-2023-36815: Missing Authorization

June 30, 2023 (updated July 3, 2023)

Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account sealos[.] io/v1/Payment, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user’s control and may have permission to correct it. It is not clear whether a fix exists.

References

github.com/advisories/GHSA-vpxf-q44g-w34w
github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w
nvd.nist.gov/vuln/detail/CVE-2023-36815

Code Behaviors & Features

Detect and mitigate CVE-2023-36815 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →