CVE-2023-33190

Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.1-rc4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b	Patch
https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:sealos_project:sealos::::::::
	cpe:2.3:o:sealos_project:sealos:4.2.1:rc1::::::
	cpe:2.3:o:sealos_project:sealos:4.2.1:rc2::::::
	cpe:2.3:o:sealos_project:sealos:4.2.1:rc3::::::

History

07 Jul 2023, 18:09

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62 -~~	(MISC) https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62 - Vendor Advisory
References	~~(MISC) https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b -~~	(MISC) https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b - Patch
CWE	~~CWE-287~~	CWE-863
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Sealos Project Sealos Project sealos
CPE		cpe:2.3:o:sealos_project:sealos:4.2.1:rc2:::::: cpe:2.3:o:sealos_project:sealos:::::::: cpe:2.3:o:sealos_project:sealos:4.2.1:rc1:::::: cpe:2.3:o:sealos_project:sealos:4.2.1:rc3::::::

30 Jun 2023, 14:15

Type	Values Removed	Values Added
References		(MISC) https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b -
Summary	Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.0 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.	Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.1-rc4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

29 Jun 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-29 19:15

Updated : 2024-02-28 20:13

NVD link : CVE-2023-33190

Mitre link : CVE-2023-33190

CVE.ORG link : CVE-2023-33190

JSON object : View

Products Affected

sealos_project

sealos

CWE

CWE-863

Incorrect Authorization

CWE-287

Improper Authentication

9.8 /10