CVE-2023-36815

HIGH

Sealos < 4.2.0 - Missing Authorization in Billing System

Title source: llm
STIX 2.1

Description

Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.

References (1)

Core 1
Core References

Scores

CVSS v3 7.3
EPSS 0.0055
EPSS Percentile 41.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (2)
labring/sealos 0Go
sealos/sealos < 4.2.0
Published Jul 03, 2023
Tracked Since Feb 18, 2026