An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12cHhmLXE0NGctdzM0d84AA0KL

Sealos billing system permission control defect


There is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account. sealos. io/v1/Payment, resulting in the ability to recharge any amount of 1 RMB.


The reason is that sealos is in arrears. Egg pain, we can't create a terminal anymore. Let's charge for it:

Then it was discovered that the charging interface had returned all resource information. Unfortunately, based on previous vulnerability experience, the namespace of this custom resource is still under the current user's control and may have permission to correct it.


disable by publish


Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 5 months ago

CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Identifiers: GHSA-vpxf-q44g-w34w, CVE-2023-36815
References: Repository:
Blast Radius: 9.8

Affected Packages
Dependent packages: 8
Dependent repositories: 22
Affected Version Ranges: <= 4.2.0
No known fixed version
All affected versions: 1.13.0, 1.13.2, 1.14.0, 2.0.3