CVE-2023-33190 — Improper configuration of RBAC permissions obtaining cluster control permissions

Description

### Summary Improper configuration of RBAC permissions resulted in obtaining cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. ### Details detail's is disable by publish. ### PoC detail's is disable by publish. ### Impact + sealos public cloud user + CWE-287 Improper Authentication

How to fix CVE-2023-33190

To remediate CVE-2023-33190, upgrade the affected package to a fixed version below.

—upgrade to 4.2.1-rc4 or later

Is CVE-2023-33190 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.2.1-rc4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33190
PATCHgithub.com/labring/sealos
WEBgithub.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b
WEBgithub.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62