CVE-2023-33190: 
vulnerability analysis and mitigation

Sealos, an open source cloud operating system distribution based on the Kubernetes kernel, was found to have a critical vulnerability (CVE-2023-33190) in versions prior to 4.2.1-rc4. The vulnerability was related to improper configuration of role based access control (RBAC) permissions (NVD, GitHub Advisory).

The vulnerability stems from an improper configuration of role based access control (RBAC) permissions. It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a score of 9.9 (CRITICAL) from GitHub with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-863 (Incorrect Authorization) and CWE-287 (Improper Authentication) (NVD).

An attacker exploiting this vulnerability could obtain cluster control permissions, which would allow them to control the entire cluster deployed with Sealos, including hundreds of pods and other resources within the cluster (NVD, GitHub Advisory).

The vulnerability has been patched in Sealos version 4.2.1-rc4. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (NVD).