Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NGo4LXc3ZjktcHA2Ms4AA0KE
Improper configuration of RBAC permissions obtaining cluster control permissions
Summary
Improper configuration of RBAC permissions resulted in obtaining cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster.
Details
detail's is disable by publish.
PoC
detail's is disable by publish.
Impact
- sealos public cloud user
- CWE-287 Improper Authentication
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NGo4LXc3ZjktcHA2Ms4AA0KE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00336
EPSS Percentile: 0.70921
Identifiers: GHSA-74j8-w7f9-pp62, CVE-2023-33190
References:
- https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62
- https://nvd.nist.gov/vuln/detail/CVE-2023-33190
- https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b
- https://github.com/advisories/GHSA-74j8-w7f9-pp62
Blast Radius: 13.4
Affected Packages
go:github.com/labring/sealos
Dependent packages: 8Dependent repositories: 22
Downloads:
Affected Version Ranges: < 4.2.1-rc4
Fixed in: 4.2.1-rc4
All affected versions: 1.13.0, 1.13.2, 1.14.0, 2.0.3
All unaffected versions: