Sealos billing system permission control defect

Vulnerability

Overview

CVE-2023-36815 is a permission flaw in the Sealos billing system, affecting version 4.2.0 and prior. The vulnerability allows users to control the recharge resource account sealos.io/v1/Payment, enabling them to set any recharge amount (e.g., 1 RMB) without proper authorization [1][3]. The root cause is improper authentication (CWE-287) in the custom resource handling, where the namespace of the resource is under the user's control [3].

Exploitation

Prerequisites

An attacker with access to the Sealos public cloud can exploit this by interacting with the charging interface, which may expose resource information [1]. The user-controlled namespace allows modification of the Payment resource, bypassing intended billing controls [3]. No special network position is required beyond normal user access.

Impact

A successful exploit enables an attacker to arbitrarily set recharge amounts, potentially leading to financial loss or service abuse. The billing system's improper permission control undermines the integrity of resource accounting [1][3].

Mitigation

Status

The advisory notes it is unclear whether a fix exists, and no patch has been confirmed [1][3]. Users should monitor vendor channels for updates and consider restricting access to the billing API.