CVE-2023-36815
HIGHSealos < 4.2.0 - Missing Authorization in Billing System
Title source: llmDescription
Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the ability to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information. The namespace of this custom resource would be user's control and may have permission to correct it. It is not clear whether a fix exists.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w
Scores
CVSS v3
7.3
EPSS
0.0055
EPSS Percentile
41.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
labring/sealos
0Go
sealos/sealos
< 4.2.0
Published
Jul 03, 2023
Tracked Since
Feb 18, 2026