GHSA-74j8-w7f9-pp62

Source

https://github.com/advisories/GHSA-74j8-w7f9-pp62

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-74j8-w7f9-pp62/GHSA-74j8-w7f9-pp62.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-74j8-w7f9-pp62

Aliases

CVE-2023-33190

Published

2023-06-30T20:25:52Z

Modified

2023-11-01T05:02:09.507914Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Improper configuration of RBAC permissions obtaining cluster control permissions

Details

Summary

Improper configuration of RBAC permissions resulted in obtaining cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster.

Details

detail's is disable by publish.

PoC

detail's is disable by publish.

Impact

sealos public cloud user
CWE-287 Improper Authentication

Database specific

{
    "cwe_ids": [
        "CWE-287",
        "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T20:25:52Z",
    "nvd_published_at": "2023-06-29T19:15:08Z",
    "severity": "CRITICAL"
}

References

Affected packages

Go / github.com/labring/sealos

Package

Name: github.com/labring/sealos; View open source insights on deps.dev
Purl: pkg:golang/github.com/labring/sealos

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.1-rc4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-74j8-w7f9-pp62/GHSA-74j8-w7f9-pp62.json"