CVE-2023-33190 – github.com/labring/sealos

Package

Manager: go
Name: github.com/labring/sealos
Vulnerable Version: >=0 <4.2.1-rc4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00166 pctl0.38155

Details

Improper configuration of RBAC permissions obtaining cluster control permissions ### Summary Improper configuration of RBAC permissions resulted in obtaining cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. ### Details detail's is disable by publish. ### PoC detail's is disable by publish. ### Impact + sealos public cloud user + CWE-287 Improper Authentication

Metadata

Created: 2023-06-30T20:25:52Z
Modified: 2023-06-30T20:25:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-74j8-w7f9-pp62/GHSA-74j8-w7f9-pp62.json
CWE IDs: ["CWE-287", "CWE-863"]
Alternative ID: GHSA-74j8-w7f9-pp62
Finding: F006
Auto approve: 1