CVE-2023-36815

Name of the Vulnerable Software and Affected Versions Sealos versions 4.2.0 and prior

Description Sealos, a Cloud Operating System for managing cloud-native applications, has a permission flaw in its billing system. This flaw allows users to control the recharge resource account via the sealos.io/v1/Payment endpoint, enabling them to recharge any amount of 1 renminbi (RMB). The charging interface may expose resource information, and the namespace of this custom resource is under the user's control, potentially allowing permission to correct it.

Recommendations For Sealos versions 4.2.0 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the sealos.io/v1/Payment endpoint to minimize the risk of exploitation. Additionally, avoid using the custom resource associated with this endpoint until the issue is resolved.