Dvkunion

**Name of the Vulnerable Software and Affected Versions** Laf versions 1.0.0-beta.13 and prior **Description** Laf is a cloud development platform that uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, the interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. **Recommendations** For versions 1.0.0-beta.13 and prior, as a temporary workaround, consider restricting access to the log retrieval interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Laf versions prior to 1.0.0-beta.13 **Description** Laf is a cloud development platform where the control of LAF app environment variables is not strict enough, potentially leading to sensitive information leakage in secret and configmap. This issue arises in certain scenarios of privatization environment. The problem occurs when an object directly references another object in ES6 syntax, and the entire object structure is integrated intact. Sensitive information can be read through the k8s envFrom field, especially when `namespaceConf.fixed` is marked in a privatization environment. **Recommendations** For versions prior to 1.0.0-beta.13, as a temporary workaround, consider restricting access to sensitive information in the secret and configmap to minimize the risk of exploitation. Avoid using the `envFrom` field in the k8s configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sealos versions 4.2.0 and prior **Description** Sealos, a Cloud Operating System for managing cloud-native applications, has a permission flaw in its billing system. This flaw allows users to control the recharge resource account via the `sealos.io/v1/Payment` endpoint, enabling them to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information, and the namespace of this custom resource is under the user's control, potentially allowing permission to correct it. **Recommendations** For Sealos versions 4.2.0 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `sealos.io/v1/Payment` endpoint to minimize the risk of exploitation. Additionally, avoid using the custom resource associated with this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Sealos versions prior to 4.2.1-rc4 **Description** The issue is related to an improper configuration of role-based access control (RBAC) permissions in Sealos, an open-source cloud operating system distribution based on the Kubernetes kernel. This configuration flaw allows an attacker to obtain cluster control permissions, potentially controlling the entire cluster, hundreds of pods, and other resources within the cluster. The estimated number of potentially affected devices is not specified. **Recommendations** For Sealos versions prior to 4.2.1-rc4, upgrade to version 4.2.1-rc4 or later to address the issue. As a temporary workaround, consider restricting access to RBAC permissions to minimize the risk of exploitation. There are no known workarounds for this issue other than upgrading to the fixed version.